ClawHub

HN Digest

Security checks across malware telemetry and agentic risk

Overview

This skill does fetch Hacker News posts, but it also automatically installs image-generation dependencies and uses a Gemini/Nano Banana API key to create an image after each digest.

Install only if you want an HN digest that also automatically generates AI images and may spend Gemini/Nano Banana API quota. Prefer disabling or making the image step opt-in, using a separate limited API key for this skill, and pinning/reviewing Python dependencies instead of installing them silently at runtime.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions, yet its documented behavior invokes local scripts, reads environment/configuration data, writes files, and performs network access. This creates an undeclared capability gap that can mislead reviewers and users about the trust boundary, increasing the chance that credential access, file writes, or outbound requests occur without informed approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill is presented as a simple Hacker News digest, but the behavior extends into credential retrieval from local configuration, dependency/bootstrap actions, external image-generation API calls, and file/media emission unrelated to the core task. This mismatch is dangerous because it conceals sensitive operations behind an innocuous description, enabling unnecessary secret exposure, unexpected network exfiltration, and expanded attack surface in a context where users would not expect those risks.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script materially exceeds the stated purpose of the HN digest skill by creating a Python virtual environment, installing third-party packages, and invoking AI image generation based on HN content. In a skill advertised as fetching and sending Hacker News posts, this hidden secondary behavior increases attack surface, creates unexpected network and execution side effects, and can mislead operators about what code will run.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Provisioning a venv and installing google-genai and pillow at runtime is unjustified for a simple HN digest workflow and introduces supply-chain, network, and unexpected code-execution risk. The mismatch between advertised functionality and actual behavior makes the skill more dangerous because users and reviewers may not anticipate dependency installation or AI-service usage.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script performs image generation and writes image output, which does not align with the declared purpose of an HN front-page fetch/send skill. Capability drift in a skill package is dangerous because it can hide undisclosed data flows and side effects, increasing the chance that users or operators authorize behavior they did not intend.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script reads an API credential from the environment and uses it for an image-generation workflow unrelated to the skill's stated Hacker News purpose. In this context, secret use outside the expected feature set is suspicious because it expands the skill's authority and can enable undisclosed third-party interactions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This script is materially inconsistent with the declared Hacker News digest skill and instead loads a Gemini API key from the environment or a local OpenClaw config. In the context of a skill that should only fetch HN posts, credential access is unjustified and creates a strong risk of secret misuse or covert external-service invocation.

Description-Behavior Mismatch

Critical
Confidence
100% confidence
Finding
The file does not implement the advertised Hacker News digest behavior at all; it generates images via an external AI model, writes them to disk, and emits attachment tokens. This severe capability mismatch is dangerous because it can conceal unauthorized network activity, local file writes, and unintended data flows under the cover of a benign-looking skill description.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The script claims to use Nano Banana Pro but actually invokes a Gemini image model, which is a deceptive or misleading implementation detail. While not the most severe issue by itself, this mislabeling obscures the true external dependency and data recipient, undermining user consent and reviewer understanding.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs network package installation and then executes multiple external programs without any confirmation, sandboxing signal, or operator warning. In an agent skill context, this is risky because invoking the skill can silently modify the local environment and pull remote code, which is more dangerous than in a plainly administrative setup script.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends the provided prompt and bearer token to an external API without any in-code disclosure, confirmation, or visible consent mechanism. In a skill advertised only as fetching Hacker News posts, undisclosed external transmission of user-controlled content is materially more dangerous because operators may not expect prompts to leave the local environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends user-provided prompts to an external model API without any indication that such transmission is part of an HN digest skill. In this context, hidden prompt exfiltration to a third-party service is dangerous because users and reviewers would reasonably not expect their input to leave the local skill boundary for image generation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal