daily-news-brief

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed news-brief tool that fetches public news, saves summaries locally, and can optionally schedule or push them through OpenClaw channels.

Install only if you want a Node-based news tool that can fetch public feeds, write files under your home directory, and optionally run on a schedule or send summaries to messaging channels. Keep push disabled unless you have verified the OpenClaw channel targets, and inspect cron and deletion commands before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill clearly describes network-dependent behavior such as RSS fetching, web scraping, and OpenClaw-based outbound delivery, but no explicit permissions are declared. This weakens user awareness and platform control over network access, increasing the chance of silent external communication or future scope creep without clear consent boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared purpose emphasizes news aggregation and markdown generation, but the skill also persists files in the user's home directory, modifies configuration, manages scheduling, and sends content to third-party channels. This mismatch can mislead users and reviewers about the real operational scope, causing unintended data storage, background execution, and external transmission.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This file adds outbound messaging capability by invoking the external `openclaw` CLI to send generated summaries to configured channels. While the feature appears aligned with the skill’s stated support for scheduled news brief delivery, it expands the trust boundary: fetched and summarized external content can be transmitted off-host to arbitrary configured destinations without additional validation, confirmation, or command allowlisting beyond fixed arguments.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The configuration workflow for a news-brief skill includes OpenClaw third-party channel login actions that are outside simple local configuration editing. This expands the skill's scope into external account authorization and could prompt users to authenticate messaging platforms or expose destinations without clear necessity, increasing the risk of credential misuse or unintended outbound data flows.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The workflow directly edits the user's system crontab, which is a host-level persistence mechanism rather than a skill-local setting. This can create or modify recurring execution outside the immediate task context, making the skill more dangerous because it changes system scheduling state and may overwrite unrelated cron entries through brittle text replacement.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The workflow includes a destructive operation to delete all historical news documents under a user directory. Even with a yes/no prompt, embedding bulk deletion in a general configuration flow increases the chance of accidental data loss, especially because shell path expansion and recursive deletion are high-risk primitives.

Description-Behavior Mismatch

Low

Confidence: 82% confidence
Finding: The workflow instructs creation of persistent scheduled tasks via OpenClaw cron or system cron, causing the skill to keep running in the background after setup. Even though scheduling is part of the skill's purpose, this is security-relevant because recurring execution persists beyond the current session and may continue network activity and message delivery without an explicit, prominent warning.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: Broad trigger phrases such as '新闻' and '今日新闻' are likely to match ordinary conversation, which can cause unintended invocation of a skill that performs network fetching, file creation, and possibly scheduled or external push actions. In this context, overbroad activation increases the risk of accidental execution rather than being a mere UX issue.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill mentions OpenClaw delivery to external channels like Telegram and Feishu, but it does not prominently warn that generated content may leave the local environment. Even if the content is 'just news,' outbound transmission to third-party platforms creates privacy, compliance, and account-scope risks, especially when channels or recipients are configured persistently.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The markdown instructs users to log into messaging channels and store push targets, but it does not warn about authentication sensitivity, destination disclosure, or how credentials and identifiers will be protected. In a skill that aggregates and pushes content, that omission raises the risk of unintended posting, token exposure, or leaking internal channel identifiers.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The workflow directs the agent to create and write `~/.daily-news-brief/config.json` under the user's home directory without an explicit warning that local files will be created or modified. Silent filesystem changes can surprise users, overwrite prior settings, or persist data such as channel selections and schedule details beyond the immediate interaction.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The setup creates an automatic scheduled task without a strong warning that commands will continue running on a recurring basis in the background. This persistence can lead to ongoing network fetches, local file writes, and push messages after the user may have forgotten the skill was installed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal