Back to skill

Security audit

HN Digest

Security checks across malware telemetry and agentic risk

Overview

This skill does fetch Hacker News posts, but it also automatically generates AI images using provider credentials and runtime-installed packages that are not clearly disclosed in the public description.

Review before installing. Use it only if you want an HN digest that also automatically creates AI images and may spend Gemini/Nano Banana or OpenAI quota. Prefer a version that makes image generation opt-in, pins dependencies, and uses a dedicated limited API key instead of reading broad local OpenClaw configuration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares itself as a simple Hacker News digest, but its documented behavior invokes scripts with file, network, and environment access without declaring or constraining those capabilities. Hidden capability expansion reduces transparency and makes it easier for a seemingly harmless skill to access secrets, write files, or reach external services beyond user expectations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
This is a significant description-to-behavior mismatch: the skill claims to fetch HN posts, but the procedure also performs image generation, external service calls, dependency installation, credential access, and file/media output. Such mismatches are dangerous because they can conceal higher-risk operations behind a low-risk user-facing description, undermining consent, review, and runtime policy decisions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest says the skill sends HN post links, but the documented procedure adds an AI-generated image as an extra outbound artifact. This undisclosed output changes the data flow and expands external processing in a way users and reviewers would not reasonably infer from the description.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The image-generation step is not necessary for the stated purpose of fetching and sending HN links, yet it introduces extra external calls, file output, and prompt construction from fetched content. Unnecessary capabilities increase attack surface and create opportunities for prompt abuse, data leakage, or unexpected cost-incurring actions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script performs behavior that is outside the declared scope of the skill: instead of only fetching and sending Hacker News posts, it creates a prompt from HN data and invokes a Python image-generation workflow. This hidden capability increases attack surface, introduces undeclared dependency installation and model execution, and can cause the agent to exfiltrate content, consume resources, or perform actions the user did not request.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This HN digest skill includes unjustified AI image-generation capability by building a prompt from fetched HN content and passing it to a separate Python tool that generates output files. In context, this is dangerous because the capability is unrelated to the skill’s stated purpose, is hidden behind innocuous metadata, and also bootstraps dependencies at runtime, creating an opaque execution path that users and reviewers would not expect.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script performs image generation using the OpenAI Images API, which does not align with the skill's declared purpose of fetching and sending Hacker News front-page posts. In a skill ecosystem, capability mismatch is dangerous because it can hide undeclared data flows, unexpected billing activity, or unauthorized side effects under an unrelated manifest.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script reads OPENAI_API_KEY from the environment and uses it to call an external image-generation API, a privileged capability not justified by the stated HN-digest functionality. Even though the key is not exfiltrated directly, undeclared credential use expands the attack surface and can lead to unexpected external transmission, cost incurrence, and trust boundary violations.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The ArgumentParser description explicitly says the script generates a mood image for hn-digest, contradicting the manifest's documented HN retrieval purpose. This inconsistency is a meaningful security signal because it suggests hidden or undeclared functionality that reviewers and users would not expect from the advertised skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script accesses a Gemini API key from the environment and from a local OpenClaw config even though the declared skill is only supposed to fetch Hacker News posts. This mismatch strongly suggests hidden capability harvesting or repurposing of unrelated credentials, which could expose secrets and enable unauthorized external API usage.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The implementation does not perform the advertised HN-digest behavior at all; instead it sends user input to an external generative model, creates an image file, and emits a media attachment token. In the context of a skill advertised as fetching Hacker News posts, this is a severe capability mismatch and indicates deceptive behavior that could trick users or the host agent into invoking unintended networked and file-writing actions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script performs remote AI image generation and writes the returned content to a local file, both unrelated to the stated purpose of sending Hacker News posts. In this skill context, those extra capabilities expand the attack surface by enabling undisclosed data egress and local artifact creation under false pretenses.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The help text and error messages openly describe a Nano Banana Pro image generator, directly contradicting the manifest that claims this is an HN-digest skill. That inconsistency is a strong indicator of deceptive packaging or accidental code substitution, both of which undermine trust and can conceal unauthorized behavior.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The procedure directs shell execution and external fetching/generation without explicit user-facing notice, which weakens informed consent and obscures when remote/networked operations occur. While not inherently malicious, silent command and network use is risky in an agent setting because it can surprise users and bypass expected trust boundaries.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script reads sensitive credentials without any user-facing disclosure, despite operating under a manifest that gives no indication that secrets will be accessed. While secret access may be legitimate in some tools, here it is undisclosed and contextually suspicious because the advertised function should not need Gemini credentials at all.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
User-supplied prompt content is transmitted to an external model API without clear disclosure or consent. In the context of a supposed Hacker News retrieval skill, this is more dangerous because users would not reasonably expect their input to be sent to a third-party image generation service.

External Transmission

Medium
Category
Data Exfiltration
Content
def request_image(api_key: str, prompt: str, model: str, size: str, quality: str) -> dict:
    url = "https://api.openai.com/v1/images/generations"
    body = json.dumps(
        {
            "model": model,
Confidence
90% confidence
Finding
https://api.openai.com/

Env Variable Harvesting

High
Category
Data Exfiltration
Content
ap.add_argument("--out", required=True)
    args = ap.parse_args()

    api_key = (os.environ.get("OPENAI_API_KEY") or "").strip()
    if not api_key:
        print("Missing OPENAI_API_KEY", file=sys.stderr)
        return 2
Confidence
95% confidence
Finding
os.environ.get("OPENAI_API_KEY

Env Variable Harvesting

High
Category
Data Exfiltration
Content
"""

    # Prefer env var if set.
    env_key = (os.environ.get("GEMINI_API_KEY") or "").strip()
    if env_key:
        return env_key
Confidence
92% confidence
Finding
os.environ.get("GEMINI_API_KEY

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.