ClawHub

Global Perspectives News Openclaw

Security checks across malware telemetry and agentic risk

Overview

This is a coherent news-briefing skill with disclosed web search and opt-in local preference saving, and no evidence of hidden or harmful behavior.

Install this if you are comfortable with Tavily-powered news searches and optional local preference storage. Avoid saving highly sensitive topics on shared machines, and remove ~/.claw/data/global-perspectives-news-prefs.json if you no longer want prior interests reused.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README advertises a very broad natural-language activation phrase ('Give me today's global news briefing') in addition to the slash command. In chat-based agent environments, generic phrases like this can overlap with ordinary user conversation and unintentionally invoke the skill, causing unexpected web searches, external data access, or preference-driven behavior without clear user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states that the skill 'remembers your preferences' by saving them to a local file, but it does not warn users that their interests, source preferences, and language choices may be persisted on disk. While not an exploit by itself, undocumented persistence can expose sensitive preference data to other local users, backups, logs, or future sessions without informed consent.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to greet returning users in a saved language and explicitly includes a Chinese/bilingual greeting format without first obtaining fresh user consent at runtime. This can override user expectations, reveal or infer prior language preferences, and create a minor privacy and UX issue by using persisted personalization data in a way the user may not have requested for the current session.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal