ClawHub

Danish News Feeds

Security checks across malware telemetry and agentic risk

Overview

This is a public RSS feed aggregator with no credential access or destructive behavior, but one helper script weakens HTTPS protections and the documentation overstates what the included files do.

Install only in a virtual environment, consider pinning dependencies, and avoid using aggregate_feeds.py until TLS verification is restored. Treat generated RSS content as republished third-party content, and only add the cron job or detached Docker command if you intentionally want ongoing background fetching.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior materially diverges from the implementation, including an especially dangerous claim that feed fetching disables SSL certificate verification. Disabling TLS verification allows man-in-the-middle tampering of fetched content, and the broader mismatch undermines user trust by hiding actual behavior and overstating safeguards and functionality.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code disables TLS certificate verification and hostname validation for every HTTPS feed request, which allows a man-in-the-middle attacker to intercept and modify feed contents in transit. In this skill's context, that means an attacker could inject arbitrary RSS items, links, and descriptions into the aggregated output, poisoning downstream consumers and defeating trust in the feed source.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal