ClawHub

Dinstein Tech News Digest

Security checks across malware telemetry and agentic risk

Overview

This tech digest skill is mostly coherent, but it should be reviewed because it can automatically use local GitHub credentials and a configured private-key file despite partly overstating its workspace-only file access.

Install only if you are comfortable with a scheduled agent fetching public tech sources, writing digest archives, pruning old archive files, and sending reports to Discord or email. Use least-privilege API keys, avoid broad GitHub tokens where possible, verify GH_APP_KEY_FILE points only to the intended private key, and review or disable any recurring delivery job you do not explicitly want.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly exercises sensitive capabilities including network access, shell execution, file reads/writes, and environment-variable access, yet the manifest does not declare an explicit permissions model. That creates a transparency and review gap: operators may approve a seemingly simple digest skill without realizing it can execute commands, access credentials, and send outbound data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The security notes claim no files outside the workspace are accessed, but the same document instructs users to store secrets in ~/.zshenv and supports reading a GitHub App private key from an arbitrary path via GH_APP_KEY_FILE. This inconsistency can mislead reviewers about actual data access boundaries and hide that the skill may consume sensitive files outside the workspace.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README encourages one-message setup for installation, configuration, scheduling, and delivery to external channels without warning about the side effects of automated actions. In an agent-driven environment, this can normalize high-impact operations that transmit data off-system or create persistent scheduled tasks without clear user awareness or consent boundaries.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to provide multiple API tokens for third-party services and describes broad external data collection, but it does not include guidance on secret handling, least privilege, or third-party data-sharing implications. This increases the chance of credential leakage, overbroad token use, or unintentional transmission of collected content and metadata to external providers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The prompt instructs the agent to create archive files and delete files older than 90 days in the user's workspace without requiring explicit user consent or a warning that local files will be modified. In an agent setting, silent persistent writes and deletions can cause unintended data loss or violate user expectations, especially if workspace paths are broad or misconfigured.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt directs the agent to transmit generated content to Discord and optionally by email, but does not require explicit disclosure or confirmation before sending data to external services. This creates a real exfiltration risk because collected and summarized content, including any workspace-derived context or mis-ingested sensitive data, could be sent off-system without the user's informed approval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template explicitly instructs the agent to send generated HTML through `gog gmail send` but provides no warning, confirmation step, or guidance about transmitting potentially sensitive or unreviewed content to an external email service. In this skill, the digest is built from aggregated external sources and generated summaries, so accidental inclusion of private data, prompt-injected content, or misleading links could be emailed out without user awareness or review.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically searches multiple credential sources, including `GITHUB_TOKEN`, GitHub App material, and the local `gh auth token` context, without requiring explicit user consent at runtime. In an agent/skill context, this is dangerous because merely running a news-digest fetcher can silently consume locally available credentials and use them for outbound API calls, expanding access beyond what a user may expect from the skill description.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal