ClawHub

财经热点新闻爬取与话题归纳系统

Security checks across malware telemetry and agentic risk

Overview

This finance news skill is mostly purpose-aligned, but it has under-scoped automatic deletion, credential/profile use, and external command execution risks that users should review before installing.

Install only if you are comfortable with the skill making outbound requests to finance sites and model APIs, writing local reports/logs, opening generated HTML, and using configured credentials. Before running it, set temp/report paths to dedicated disposable directories, avoid pointing cookie_path at a real browser profile unless needed, remove API key logging, and review the shell=True subprocess paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (28)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"  执行summarize命令: {' '.join(cmd[:3])}...")
            print(f"  使用API base URL: {api_base_url}")
            
            result = subprocess.run(
                cmd,
                capture_output=True,
                text=True,
Confidence
97% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, encoding='utf-8', timeout=self.summarize_setti

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 检查summarize命令是否可用
            try:
                import subprocess
                result = subprocess.run(['summarize', '--version'], 
                                       capture_output=True, text=True, timeout=5, shell=True)
                summarize_available = result.returncode == 0
            except Exception:
Confidence
91% confidence
Finding
result = subprocess.run(['summarize', '--version'], capture_output=True, text=True, timeout=5, shell=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"    环境变量: OPENAI_API_KEY={deepseek_api_key[:10]}...{deepseek_api_key[-4:] if deepseek_api_key else '未设置'}")
                    print(f"               OPENAI_BASE_URL={deepseek_base_url}")
                    
                    result = subprocess.run(
                        cmd,
                        capture_output=True,
                        text=True,
Confidence
96% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, encoding='utf-8',

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 计算超时时间(秒),使用配置的超时时间
                timeout_seconds = timeout_ms / 1000 + 5  # 增加5秒缓冲
                
                result = subprocess.run(
                    cmd, 
                    shell=True, 
                    capture_output=True,
Confidence
98% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, encodi

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env['OPENAI_API_KEY'] = self.default_config['api_key']
                env['OPENAI_BASE_URL'] = self.default_config['api_base_url']
                
                result = subprocess.run(
                    cmd,
                    capture_output=True,
                    text=True,
Confidence
90% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=self.default_config['timeout_secon

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if cmd.endswith('.ps1'):
                    # 使用PowerShell调用
                    powershell_cmd = ["powershell", "-Command", f"& {cmd} --version"]
                    result = subprocess.run(
                        powershell_cmd,
                        capture_output=True,
                        text=True,
Confidence
92% confidence
Finding
result = subprocess.run( powershell_cmd, capture_output=True, text=True, timeout=5

subprocess module call

Medium
Category
Dangerous Code Execution
Content
timeout=5
                    )
                else:
                    result = subprocess.run(
                        [cmd, "--version"],
                        capture_output=True,
                        text=True,
Confidence
78% confidence
Finding
result = subprocess.run( [cmd, "--version"], capture_output=True, text=True, timeout

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file presents itself as a crawler/summarizer scheduler, but it also launches generated HTML in external programs. That hidden side effect broadens the capability of the skill beyond its stated purpose, which is dangerous because generated HTML may contain active content and the user is not clearly informed that local applications will be invoked.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The run() method appears to only orchestrate module execution, but it also performs automatic cleanup that deletes files from configured temp and report directories. Undisclosed destructive behavior is risky because a user invoking a routine workflow may unintentionally lose data, especially if configuration points to broader directories than intended.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The scheduler contains host-application launch logic via os.startfile/subprocess/webbrowser even though its apparent role is data collection and reporting. This is dangerous because it grants the skill an unnecessary execution-like capability on the host, and opening local HTML can trigger browser rendering of potentially unsafe active content or leak local context through browser integrations.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The module docstring and main-function messaging state the skill only crawls three main sites, but the implementation also loads and crawls up to six additional configured sites. This mismatch can hide actual network behavior from reviewers and users, causing unapproved outbound requests and expanding the attack surface beyond what the documented scope suggests.

Intent-Code Divergence

Low
Confidence
77% confidence
Finding
The comments indicate that other sites were cleared temporarily for stability, while the active code enables loading additional sites. This inconsistency can mislead maintainers during review and operations, increasing the chance that broader crawling behavior is overlooked and executed unintentionally.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The module performs extra URL-based deep analysis that is broader than its stated summarization purpose, causing additional outbound requests and data sharing. In an agent skill context, capability creep is risky because users may not expect external retrieval and summarization of URLs from generated outputs.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The utility adds general external code-execution capability by discovering and running CLI binaries and PowerShell scripts, which is broader than simple local text summarization. In a skill context, this is dangerous because it lets local environment state determine what code is executed, increasing the chance of executing malicious tooling.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code explicitly injects API credentials into the environment of a spawned process. Any untrusted or replaced summarize executable can read and exfiltrate those credentials, making this more serious than ordinary subprocess usage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README describes network scraping, Playwright browser automation, report generation, and automatic browser opening, but it does not clearly disclose the resulting local side effects and outbound activity to users. This can lead users to run the skill without understanding that it will access external sites, write files under fixed directories, and launch browser processes, increasing the chance of unsafe deployment or privacy surprises.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to configure an API key and base URL for DeepSeek but does not warn that content may be transmitted to an external model provider or provide guidance for secure credential handling. This creates a real risk of accidental secret exposure, misuse of production credentials, or sending sensitive scraped data to a third party without informed consent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly advertises 'automatic cleanup of old data' and '自动清理旧数据' without describing what data is deleted, where it is stored, or whether the user will be prompted before deletion. In an agent skill context, undocumented destructive behavior can cause unintended loss of reports, cached inputs, or other local files if cleanup scope is broader than expected.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The program automatically opens the generated HTML report as soon as Module 4 succeeds, without asking the user. In this context, that is dangerous because the report content is derived from crawled external sources and may be attacker-influenced, so auto-opening increases the chance of unwanted browser execution, tracking, or social-engineering exposure.

Missing User Warnings

High
Confidence
98% confidence
Finding
The cleanup routine recursively deletes files older than a threshold from configured temp and reports directories with no confirmation, no dry-run, and weak containment guarantees. This is dangerous because misconfiguration or unexpected path values could cause silent deletion of important local data, and the destructive behavior is triggered automatically from the main workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code reads API credentials from config and injects them into a subprocess environment without user disclosure or minimization. This creates credential-handling risk because child processes, logs, crash dumps, or unintended tools may access the secrets and use them for remote requests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The deep-analysis path silently reads credentials from ~/.openclaw/openclaw.json and uses them for remote service access. This is dangerous because a user invoking a local summarization skill may not expect the skill to harvest local API credentials and repurpose them for external network operations.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code prints a partially masked API key to stdout, disclosing secret material. Partial key exposure materially assists attackers through log scraping, correlation, or brute-force reduction, and secrets should never be printed in routine operation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The subprocess sends prompt content to an external summarization tool but provides no explicit notice that article text may leave the local system. In a skill context handling scraped news content, undisclosed outbound transfer is a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The crawler automatically discovers and reuses a local browser user-data directory, which can load authenticated sessions, cookies, and other sensitive browser state without strong user consent boundaries. In a skill/agent context, this increases the risk of unintended credential use, privacy leakage, and access to content under the operator's logged-in identity.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal