ClawHub

Daily-EnglishNews-Reader

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed English-learning helper that fetches public RSS articles, creates Feishu documents, and keeps local preference/history files for deduplication.

Install only if you are comfortable authorizing the Feishu/Lark plugin to create cloud documents, fetching article content from third-party RSS services, and keeping local files with reading preferences plus generated article titles and URLs. Review Feishu permission prompts, and avoid running the optional sudo install path unless necessary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill performs file reads and network operations but does not explicitly declare those capabilities as permissions, reducing transparency and informed user consent. In this skill’s context, those actions are expected for RSS fetching and document creation, but the undeclared access still creates security and trust risk because users may not realize local files are read and external services are contacted.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README suggests triggering the skill with a very broad natural-language phrase such as '生成今天的英语阅读材料'. In agent environments, overly generic invocation phrases can cause accidental or ambiguous activation, leading the skill to fetch external RSS content and create Feishu cloud documents without the user clearly intending to invoke this specific skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description highlights automatic RSS retrieval and Feishu cloud document generation, but does not clearly warn users that content will be fetched from third-party news sources and written to an external collaboration platform. This creates a privacy and data-sharing risk because user prompts, preferences, generated content, or metadata may be transmitted to external services without informed user awareness.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The invocation phrases are broad enough that ordinary user requests like 'generate English reading material' could trigger the skill unexpectedly. Because the skill performs network access, modifies local tracking/config files, and creates Feishu cloud documents, accidental invocation can cause unintended external data transfer and persistent local state changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill writes user configuration and article history to local files but does not prominently warn users that it will modify persistent local state. This can lead to unexpected retention of reading preferences and browsing history-like records, which may expose private interests or cause integrity issues if users are unaware those files are being maintained.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends rewritten content, article metadata, and source URLs to a Feishu cloud document without a clear privacy warning. Even if the data is article-based, generated documents may reveal user interests, selected difficulty settings, and reading history to a third-party cloud platform, which is a meaningful privacy risk in this context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal