Back to skill

Security audit

Literature Daily Report

Security checks across malware telemetry and agentic risk

Overview

This literature-report skill mostly matches its stated purpose, but it also automatically uses broad shell-loaded credentials and sends or persists reports to several destinations, including an under-disclosed Matrix channel.

Install only if you want report generation to also update shared Zotero data, persist facts into OpenClaw memory, copy files into workspace locations, and potentially send the report to Matrix. Use a limited Zotero API key, verify the group ID and helper scripts, and avoid scheduled runs unless every outbound and persistent side effect is intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""从 ~/.zshrc 加载环境变量,返回更新后的 env dict"""
    env = os.environ.copy()
    try:
        result = subprocess.run(
            ["bash", "-l", "-c", "env"],
            capture_output=True, text=True, timeout=10
        )
Confidence
96% confidence
Finding
result = subprocess.run( ["bash", "-l", "-c", "env"], capture_output=True, text=True, timeout=10 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
fact += f" | URL: {url}"

            # 调用 kg.py add
            result = subprocess.run(
                ["python3", KG_SCRIPT, "add",
                 "--entity", entity,
                 "--fact", fact,
Confidence
88% confidence
Finding
result = subprocess.run( ["python3", KG_SCRIPT, "add", "--entity", entity, "--fact", fact, "--category", primary_category

Tainted flow: 'fact' from requests.get (line 616, network input) → subprocess.run (code execution)

Critical
Category
Data Flow
Content
fact += f" | URL: {url}"

            # 调用 kg.py add
            result = subprocess.run(
                ["python3", KG_SCRIPT, "add",
                 "--entity", entity,
                 "--fact", fact,
Confidence
94% confidence
Finding
result = subprocess.run( ["python3", KG_SCRIPT, "add", "--entity", entity, "--fact", fact, "--category", primary_category

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation describes capabilities to read environment variables, access local files, write reports, invoke shell commands, and perform network operations, yet it declares no permissions. This creates a consent and transparency gap: a user or platform may invoke the skill expecting a low-risk reporting workflow while it can actually access credentials and modify local state.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill loads the full login-shell environment, which can reveal unrelated local credentials and execute startup logic unrelated to literature reporting. This exceeds the declared capability and broadens the skill into secret harvesting and shell-execution territory.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The script sends the full generated report to Matrix, an outbound messaging action not clearly justified by the declared collection/report-generation purpose and performed without explicit consent in code. Even if the content is mostly public literature, it can still leak internal curation, usage patterns, or unexpected data if future inputs include sensitive notes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that generated reports are automatically synchronized to multiple destinations, including external services and shared repositories, without indicating a confirmation step or prominent warning. Automatic transmission increases the risk of unintended disclosure of generated content, metadata, or research interests to third parties or shared workspaces.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents automatic loading of Zotero API credentials from ~/.zshrc, which exposes a high-risk pattern of harvesting secrets from a user's shell profile without an explicit consent step. Shell rc files can contain many unrelated secrets, so reading them broadens exposure beyond the minimum needed and can unintentionally leak or misuse credentials.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script writes reports into multiple user workspace locations automatically without confirmation. While the content is not highly sensitive by itself, silent filesystem writes can overwrite expected files, create persistence artifacts, and surprise users in a skill that also syncs data elsewhere.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically transmits collected article data to Zotero, a knowledge graph helper, and Matrix without an explicit upfront warning. This is risky because it expands data exposure and action scope beyond simple report generation, especially when content is sourced from external feeds and may be mixed with local metadata or credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.