ClawHub

Cnbc Geopolitics Fetcher

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do its stated news-to-Discord job, but it ships a real-looking Discord webhook and tells agents to use it, which needs human review before installation.

Review before installing. Revoke and remove the bundled Discord webhook, replace it with your own user-controlled secret outside the skill files, and confirm the Discord channel before each run. Run it in an isolated Python environment and treat each execution as sending public CNBC-derived content to Discord.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

High
Confidence
99% confidence
Finding
The documentation contains what appears to be a live Discord webhook URL and instructs users to pass or store it in plaintext. Discord webhooks are bearer secrets; anyone who obtains the URL can post arbitrary content into the target channel, enabling spam, impersonation, misinformation, or operational disruption. The risk is heightened because the file explicitly encourages copying the secret into commands and config files.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script sends scraped article content to an arbitrary Discord webhook with no validation of destination ownership and little user-facing disclosure beyond a CLI flag. In an agent/skill context, this is an outbound exfiltration sink: any supplied or config-extracted webhook can receive external content and potentially adjacent data if future changes expand the payload.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal