ClawHub

last30days

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real recent-research skill, but it needs Review because bundled optional tools can persist research data, send webhook notices, and execute checked-out code with the user's API-key environment.

Install only if you trust the AISA service and are comfortable sending research topics and retrieved public-content snippets to external services. Avoid sensitive or regulated topics unless you have reviewed data handling. Do not run the evaluation script against untrusted revisions, and review or avoid watchlist, local storage, briefing archives, and webhook delivery unless you want persistent research history and outbound notifications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd.append("--quick")
    if mock:
        cmd.append("--mock")
    result = subprocess.run(
        cmd,
        cwd=repo_dir,
        env=env,
Confidence
95% confidence
Finding
result = subprocess.run( cmd, cwd=repo_dir, env=env, capture_output=True, text=True, timeout=timeout_seconds, check=False, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def create_worktree(rev: str) -> Path:
    worktree_dir = Path(tempfile.mkdtemp(prefix="last30days-eval-"))
    subprocess.run(
        ["git", "worktree", "add", "--detach", str(worktree_dir), rev],
        cwd=REPO_ROOT,
        check=True,
Confidence
87% confidence
Finding
subprocess.run( ["git", "worktree", "add", "--detach", str(worktree_dir), rev], cwd=REPO_ROOT, check=True, capture_output=True, text=True, )

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill is presented as a one-shot 'last 30 days' research helper, but the analyzer indicates substantially broader behavior including persistent SQLite storage, watchlists, scheduled briefings, local archives, and webhook delivery. That mismatch is dangerous because users may supply sensitive research topics or tokens without realizing the skill may retain data over time or transmit outputs to additional endpoints.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script's purpose is evaluation, but it performs privileged actions beyond passive analysis by checking out arbitrary revisions and executing their Python code. In the context of a research-oriented skill, this capability materially expands risk: a malicious revision can run arbitrary code, access network resources, and misuse inherited credentials during evaluation.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script includes subprocess execution and git worktree manipulation that are unrelated to the declared recent-research behavior of the skill. This mismatch increases attack surface and makes the skill more dangerous because an ostensibly research-focused tool is also capable of code checkout and execution workflows.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The pipeline can enable Threads, Pinterest, and Xiaohongshu even though the skill metadata only declares Reddit, X/Twitter, YouTube, TikTok, Instagram, Hacker News, Polymarket, GitHub, and web search. That creates a scope-expansion issue: a caller may believe the skill is constrained to declared sources while the code can quietly reach additional third-party services and transmit user queries there.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The retrieval dispatcher contains execution paths for undeclared sources including threads, pinterest, and xiaohongshu, so the actual network behavior exceeds the documented platform list. In an agent setting this is dangerous because user input and search terms may be sent to unexpected external providers, undermining consent, data-handling expectations, and reviewability.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file is described as 'AISA-only', but the transcript path performs direct outbound HTTP requests to YouTube when transcript enrichment is enabled. This discrepancy is dangerous because it bypasses expected network boundaries, privacy assumptions, and any centralized controls or logging that may exist only on the AISA proxy path.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The docstrings say local-binary extraction is disabled and imply hosted-runtime safety, but the code still supports transcript retrieval through direct HTTP scraping. Misleading security documentation can cause operators to enable or deploy the skill under false assumptions about outbound access and data flow.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The search_and_transcribe docstring states the runtime 'stays fully AISA-only' while optional transcript enrichment can trigger direct requests to YouTube. That mismatch increases the risk of policy bypass, especially in controlled environments where direct egress or undisclosed third-party contact is prohibited.

Intent-Code Divergence

Low
Confidence
76% confidence
Finding
The script is labeled as a 'Safe local file sync helper,' but after copying files it executes Python from the selected target environment and imports modules from the newly synced target directory. That can trigger import-time side effects in copied code or use an unexpected interpreter returned by dev-python.sh, so the safety claim is overstated and could mislead users into running code when they expect a passive file copy.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The watchlist runner invokes `last30days.py` with `--lookback-days 90`, which contradicts the skill's stated 'last 30 days' behavior. This can silently expand data collection beyond what users expect, increasing privacy, compliance, and trust risks, especially in a research tool that aggregates external content.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file adds webhook delivery capabilities that are not reflected in the stated skill description, creating an undisclosed outbound data flow. Hidden integration and exfiltration paths are dangerous in agent skills because users may assume the tool only performs research, not external notification or data transfer.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The generic webhook path permits posting to any HTTPS URL stored in configuration, which enables arbitrary outbound transmission of research-derived metadata. In an agent skill, this is a significant exfiltration primitive because a misconfigured, malicious, or attacker-controlled endpoint could receive topic names, activity timing, and update counts without further validation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The markdown says queries are sent to AISA-hosted planning/search and multiple external platforms, but it does not clearly warn users that their prompts/topics may be transmitted to third-party services. In a research skill, queries can contain confidential company plans, investigations, or personal names, so silent external transmission creates a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The setup section references hosted credentials and optional GitHub tokens but gives no explicit warning about how those credentials are used or what API access they enable. That can lead operators to expose tokens without understanding scope, downstream requests, logging, or whether user queries and repository/account data may be sent to hosted services.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The evaluation sends topics and result metadata (titles, URLs, dates, sources) to an external judging model without any notice or consent mechanism in this file. If topics or results contain sensitive user research targets, internal company names, or private URLs, that data is disclosed to a third-party service.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This code sends titles, snippets, and extracted comment text from scraped public content to an external LLM provider for scoring. Even though the content is marked untrusted and the prompt warns against instruction-following, there is still a real data-sharing risk because third-party model calls may transmit personal data, copyrighted text, or sensitive collected material without clear consent, minimization, or an explicit disclosure boundary in this code path.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The UI encourages users to add `AISA_API_KEY` and describes unlocking hosted X, YouTube, web, and Polymarket paths, but does not clearly disclose that using those features will send requests to external hosted services. In a research skill that processes user queries, weak disclosure can cause users to unknowingly route potentially sensitive prompts or research topics through third-party infrastructure.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The authentication help text instructs users to persist `AISA_API_KEY` in local env files to enable a hosted proxy, but omits a clear warning that an external provider will process requests. That omission can lead to uninformed credential setup and unintended disclosure of user research activity to third-party services.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The diagnostic banner prompts users to add `AISA_API_KEY` for hosted paths without clarifying that those paths rely on external APIs. Because this skill performs broad recent research across multiple platforms, users may submit sensitive company, competitor, or personal-profile investigations without realizing their queries will be relayed externally.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code fetches watch pages and caption tracks directly from YouTube for specific video IDs without any disclosure or consent mechanism in this component. This can leak user research interests, violate privacy/compliance expectations, and create an unreviewed third-party data-sharing path from a skill that appears to rely on a proxy service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prints the full request payload, which includes the generated planner prompt and any user-supplied --context, directly to stdout before sending the network request. In practice this can leak sensitive research topics, copied web context, or other confidential input into terminal history, CI logs, or shared observability systems, making it a real information disclosure issue even though it appears intended for debugging.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Webhook delivery is triggered automatically when new findings exist, but this file provides no user-facing warning, consent prompt, or disclosure at the time of transmission. That makes data sharing easy to overlook and increases the risk of unintended leakage from a skill whose primary purpose appears to be research, not notification routing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal