ClawHub

Podcast to Substack

Security checks across malware telemetry and agentic risk

Overview

The skill matches its podcast publishing purpose, but it can publish public content and alter the Python environment without clear approval gates.

Install only if you are comfortable giving the agent access to the intended Notion database and your publishing sessions. Before use, require draft/review approval before Substack publishing, email distribution, or LinkedIn posting; remove or pre-install the feedparser dependency in a controlled environment; and use a least-privileged Notion token limited to the episode content you intend to publish.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import feedparser
except ImportError:
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "feedparser", "-q"])
    import feedparser
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "feedparser", "-q"])

Tainted flow: 'req' from os.getenv (line 42, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
for idx, u in enumerate(urls, start=1):
        req = urllib.request.Request(u, headers={"User-Agent": USER_AGENT})
        try:
            with urllib.request.urlopen(req, timeout=40) as resp:
                content = resp.read()
                ext = infer_ext(u, resp.headers.get("Content-Type"))
        except Exception as exc:  # pragma: no cover - best effort download
Confidence
91% confidence
Finding
with urllib.request.urlopen(req, timeout=40) as resp:

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Automatically installing a Python package at runtime is risky because the script performs a networked dependency change as part of ordinary RSS fetching, a behavior not necessary for the core function. In security-sensitive or automated environments, this can introduce unreviewed third-party code, break reproducibility, and allow supply-chain abuse if package resolution is influenced by a malicious index or local environment configuration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow directs publishing to Substack and posting or queueing LinkedIn content without an explicit warning, confirmation gate, or dry-run mode for external side effects. In a skill that handles public-facing content, this can lead to accidental publication, reputational damage, or unintended dissemination of draft or incorrect material.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill requests a Notion API key via environment variable or local config path but provides no guidance on secure handling, storage, redaction, or least-privilege use. This raises the risk of exposing credentials in logs, prompts, shared environments, or overly permissive local files.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently performs package installation without warning or confirmation, so simply running it can modify the host Python environment and execute installer-controlled code paths. This is especially dangerous in CI, shared systems, or agent-driven workflows where users may expect read-only RSS retrieval rather than environment mutation and external package fetches.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal