ClawHub

Wewe Rss Reader

Security checks across malware telemetry and agentic risk

Overview

This article-reading skill is mostly purpose-related, but it asks agents to handle account login material, share it to a Feishu group, and start Docker services without clear user control.

Review before installing. Use only with a WeWe RSS deployment you control, rotate or replace the exposed AUTH_CODE, avoid sending login QR codes or confirmation URLs to shared Feishu groups, and require explicit approval before any agent starts Docker services or manages account login state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as an article-reading capability, but the documentation materially expands scope into account login, subscription management, QR-based authorization, and even container operations. This broadening increases the chance an agent will perform sensitive actions unrelated to the user’s immediate request, violating least privilege and enabling unintended account access or local system changes.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The recovery step instructs the agent to run `docker compose up -d`, which starts local services and changes host state even though the skill is ostensibly for reading articles. In an agent context, this can trigger unauthorized service startup, expose ports, or run unreviewed containers without explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documented login flow introduces QR-code delivery to Feishu and polling for authorization, which goes beyond simple article reading into delegated account-authentication handling. That creates risk of account takeover, credential/session misuse, and privacy leakage if an agent sends authentication artifacts to the wrong audience or proceeds without adequate consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill exposes a hardcoded `AUTH_CODE` directly in documentation, which is effectively a shared secret embedded in plaintext. Anyone with access to the skill can reuse it to interact with the local service, undermining access control and making unauthorized API use much easier.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions direct the agent to send a login QR or confirmation URL to a Feishu group without safeguards about who can view it. Authentication links and QR codes are sensitive session-initiation artifacts; posting them to a group can let unintended recipients authorize or hijack the account.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documented fallback runs `docker compose up -d` without warning that it will start containers and alter the local environment. While not a secret leak by itself, it can cause unintended system changes, consume resources, and normalize unsafe autonomous host administration by an agent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal