ClawHub

Rss Sitemap

Security checks across malware telemetry and agentic risk

Overview

This is a coherent RSS and sitemap discovery skill that openly uses Node.js to fetch site indexes, with no evidence of hidden exfiltration or destructive behavior.

Install this only if you are comfortable allowing the agent to run the bundled Node script and make outbound HTTP requests from the host. Keep exec approvals scoped to this script, prefer one-time approval unless repeated use is needed, and avoid using it on localhost, private IP ranges, or sensitive internal domains unless that access is intentional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to perform outbound network discovery against arbitrary user-supplied sites and the metadata only declares a Node binary requirement, not an explicit network permission. This creates a permission-model gap: review systems or policy enforcement may treat the skill as less privileged than it actually is, enabling unexpected SSRF-style access, internal network probing, or unreviewed external requests when the skill is invoked.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README goes beyond documenting sitemap/feed discovery and instructs operators to enable local host execution, manage approvals, and preauthorize a Node-based runtime path. Even though it frames this as scoped to the skill, these instructions materially increase the agent's ability to run local code and normalize approval manipulation, which expands attack surface beyond the skill's narrow purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation recommends changing global exec policy and WhatsApp group tool permissions, including exposing `exec` and describing persistent approval flows. In the context of a content-discovery skill, these are overbroad operational changes that could let an attacker or misconfigured agent execute local commands or gain durable approval paths unrelated to fetching sitemap or feed URLs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal