ClawHub

Dinstein Tech News Digest

Security checks across malware telemetry and agentic risk

Overview

This is a coherent tech-news digest skill, but users should configure credentials, delivery targets, enrichment, and archive cleanup deliberately.

Before installing, choose only the sources and delivery destinations you need, use dedicated least-privilege API keys, avoid broad personal GitHub tokens, verify channel IDs and email recipients, disable enrichment in restricted environments, and ensure WORKSPACE points to a skill-specific archive directory before enabling scheduled cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill clearly documents capabilities for environment-variable access, filesystem reads/writes, outbound network access, and shell execution, yet no explicit permissions are declared. This creates a transparency and trust problem: operators may install or invoke the skill without understanding its effective privilege set, increasing the chance of overbroad execution in sensitive environments.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The security notes claim data is only sent to a fixed set of APIs, but the documented enrichment step fetches arbitrary article URLs from collected content. That mismatch can mislead reviewers about the actual network boundary and allows requests to many third-party domains, which expands tracking, SSRF-like reach to attacker-controlled URLs, and data exposure risk.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file-access section states no files outside the workspace are accessed, but the same document permits reading a GitHub App private key from an arbitrary path and discusses using tool-managed credential stores. This inconsistency hides actual file access scope, which can cause operators to underestimate exposure of host secrets and sensitive local files.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill generates GitHub App installation credentials by reading a local private key and invoking `openssl`, then transmits a JWT to GitHub to mint an access token. For a content-fetching skill, automatically escalating to local credential material is risky because it silently broadens access to secrets and can operate with higher privileges than the user expected.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code enumerates multiple local secret sources—environment variables, GitHub App credential paths, and `gh auth token`—to obtain credentials beyond simple public-content retrieval. In an agent skill context, this behavior is dangerous because it opportunistically harvests available credentials from the runtime environment and local tooling without strong user awareness or consent boundaries.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README markets one-message installation that automatically performs installation, configuration, scheduling, and delivery, which can lead users to authorize impactful actions without understanding what systems will be modified or what outbound connections will be made. In an agent context, this increases the risk of over-broad consent, unintended scheduled tasks, and unauthorized use of external APIs or communication channels.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The examples encourage sending digests to Discord, Telegram, and other external destinations without any privacy notice, recipient verification, or warning that collected content may be transmitted off-platform. In an agent-driven workflow, this can cause accidental disclosure of internal feeds, customized source lists, or sensitive summaries to third-party services or wrong channels.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The prompt instructs the agent to delete archive files older than 90 days, which is a destructive filesystem action without any confirmation, scoping safeguards, or user-visible warning. In an agent setting where <WORKSPACE> is caller-supplied, a misconfigured or maliciously influenced workspace path could cause unintended data loss beyond the expected archive contents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template explicitly instructs the agent to send generated HTML through Gmail, but it provides no warning that the content will be transmitted to an external email service. Because the digest is assembled from multiple external sources and may contain sensitive, proprietary, or unreviewed content, this omission can cause unintended data disclosure or privacy/compliance issues when an operator follows the instructions blindly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The GitHub App private key is copied into a temporary file on disk so `openssl` can sign the JWT. Even though the file is deleted in a `finally` block, writing sensitive key material to `/tmp` increases exposure to local disclosure through filesystem permissions, race conditions, backups, crash artifacts, or host-level monitoring.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The script stores persistent state in a predictable world-writable location under /tmp without any safeguards such as restrictive permissions, validation, or atomic secure file creation. On multi-user systems, another local user or process could tamper with, replace, or symlink this file, causing inaccurate health reporting or unintended overwrites of other files accessible to the script.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal