ClawHub

News Evening Digest - 新闻晚报

Security checks across malware telemetry and agentic risk

Overview

This is a plausible scheduled news digest, but its code sends messages to an undocumented WeCom webhook instead of the documented Feishu destination, so users should review it before installing.

Install only after editing or verifying the script so the outbound destination matches what you intend. Use a dedicated test channel and dedicated webhook/API keys, treat webhook URLs as secrets, confirm whether @all mentions are acceptable, and remove the cron or Task Scheduler entry if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Tainted flow: 'webhook_url' from os.environ.get (line 286, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
        }
        
        response = requests.post(webhook_url, json=payload, timeout=10)
        
        if response.status_code == 200:
            result = response.json()
Confidence
92% confidence
Finding
response = requests.post(webhook_url, json=payload, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documents access to environment variables and network resources but does not declare corresponding permissions. This weakens transparency and permission gating, making it harder for users or a platform to understand that the skill can read secrets such as webhook URLs and send outbound requests. In an automation skill that performs scheduled network activity, undeclared capabilities increase the risk of unexpected data access or message delivery.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose says the skill sends an evening digest based on World Monitor to QQ and Feishu, but the observed behavior reportedly includes broader collection, Tavily-based search, additional topic domains, and a different outbound destination (WeCom). Description-behavior mismatch is dangerous because users may consent to a narrow news-push workflow while the skill actually performs broader data collection and different external transmissions, undermining informed trust and review.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example trigger phrases are broad everyday requests such as asking for the evening news or setting a news push time, which can cause accidental activation outside the user's intended context. In a skill that performs automated outbound delivery to QQ and Feishu, ambiguous invocation increases the chance of unintended scheduling or message dispatch.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that the skill automatically pushes news to external platforms at 8 PM but does not warn users that it sends outbound messages to QQ and Feishu. Missing disclosure can lead to users enabling the skill without understanding that external delivery, account linkage, or recurring notifications will occur.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill openly states that it automatically pushes generated content to external messaging platforms, but it does not clearly warn users that content will leave the local environment on a schedule. Even if the intended payload is only news summaries, scheduled outbound delivery can still leak prompts, generated text, source metadata, or accidentally included sensitive information if the pipeline is modified or misconfigured.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes a Feishu bot webhook format but does not warn that the webhook URL is effectively a bearer secret. If leaked through shell history, screenshots, logs, or repository commits, an attacker could send unauthorized messages into the connected Feishu channel and abuse the bot for spam, phishing, or impersonation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal