ClawHub

News Digest Aggregator - 新闻聚合

Security checks across malware telemetry and agentic risk

Overview

This news digest skill mostly matches its purpose, but it automatically installs unpinned Python packages when run, so it should be reviewed before installation.

Review or modify the script before installing. Prefer preinstalling pinned dependencies in a virtual environment instead of allowing runtime pip installs, use dedicated low-privilege webhooks, avoid sensitive/private RSS sources unless approved, test manually before adding cron, and remove the cron entry when automatic posting is no longer wanted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
import feedparser
except ImportError:
    print("Installing required package: feedparser")
    os.system(f"{sys.executable} -m pip install feedparser")
    import feedparser

# HTTP requests
Confidence
98% confidence
Finding
os.system(f"{sys.executable} -m pip install feedparser")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
import requests
except ImportError:
    print("Installing required package: requests")
    os.system(f"{sys.executable} -m pip install requests")
    import requests
Confidence
98% confidence
Finding
os.system(f"{sys.executable} -m pip install requests")

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file contains explicit logic to install Python packages during execution, which is unnecessary for the stated news-digest purpose and expands the attack surface through supply-chain compromise and host mutation. Because this skill is designed for scheduled automation, unattended runtime installs are more dangerous than in an interactive development script.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The README provides broad invocation phrases like requesting today's news summary or sending news to Feishu without defining explicit trigger boundaries, authorization expectations, or scope limits. In an agent setting, ambiguous triggers can cause the skill to activate unexpectedly or perform external actions when the user did not clearly intend them, especially because the skill supports scheduled delivery and outbound messaging.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises sending news through external channels such as Feishu but does not warn users that article content, summaries, or prompts may be transmitted to third-party services. This creates a real data-sharing and privacy risk because users may unknowingly cause content or metadata to leave the local environment when using the messaging integrations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill encourages sending aggregated content to Discord, Slack, or Feishu through webhooks without warning that article content, summaries, and metadata are transmitted to third-party services. In a news-digest context this is often expected, but the absence of disclosure still increases the risk of unintentional external sharing, especially if feeds contain internal or sensitive sources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions tell users to place webhook URLs in environment variables but omit any warning that these values are sensitive secrets that can be abused to post into organizational channels. Leakage of these webhook credentials can enable spam, phishing, misinformation, or unauthorized content delivery into trusted communication spaces.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script installs a package automatically without user confirmation or administrative controls, which can surprise operators and bypass normal change-management expectations. This is dangerous because it permits unreviewed code to be fetched and executed from package infrastructure as a side effect of normal use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This duplicate auto-install path has the same issue: it changes the execution environment and retrieves code from external package sources without consent. In a scheduled news bot, such behavior can happen in unattended contexts where users never see or approve the installation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal