ClawHub

Ket News Fetcher

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public news and creates an English-learning PDF, with some disclosure and quality issues but no evidence of hidden credential access, exfiltration of private data, destructive behavior, or deception.

Install only if you are comfortable with unpinned Python dependencies, outbound requests to BBC and Google Translate, and a fixed generated-PDF output path that can replace an earlier file. Do not use it with private or licensed text unless sending derived terms to Google Translate is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises capabilities that imply network access, shell execution, and file writing, but it does not declare permissions or clearly scope those operations. This is dangerous because users and hosting platforms cannot make an informed trust decision, and the skill writes output to a fixed filesystem path while performing remote fetches and package installs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose says the skill fetches BBC News and generates a specific PDF, but the observed behavior includes additional external sources, translation API calls, extra file outputs, and copying artifacts to a fixed workspace path. Behavior that exceeds or contradicts the declared scope is a security concern because it hides data flows and side effects from the user, increasing the chance of unexpected exfiltration, policy violations, or filesystem misuse.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The implementation materially differs from the declared skill behavior: it supports multiple sources beyond BBC and does not generate PDFs, translations, or an 80-word vocabulary section. This is dangerous because users, orchestrators, or security reviewers may grant the skill broader trust or permissions based on inaccurate metadata, leading to deceptive capability assumptions and misuse in automated pipelines.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The default workflow only fetches listing pages and saves metadata/title placeholders rather than retrieving full article bodies, despite advertising complete articles in the output. This mismatch can mislead downstream users and systems into treating incomplete or low-integrity data as full content, which is a trust and supply-chain style integrity issue rather than direct code execution.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The code contains a vocabulary analysis function, but its results are never incorporated into the saved output, while the skill promises a vocabulary section. This inconsistency is dangerous mainly because it creates misleading expectations about educational processing and output completeness, undermining reliability and potentially causing incorrect downstream use.

Description-Behavior Mismatch

Low
Confidence
85% confidence
Finding
The script copies the generated PDF to a second hard-coded path under /root without user confirmation or path validation. Writing artifacts to fixed locations can unexpectedly overwrite files, leak generated content into sensitive workspace areas, and violate least surprise in an automation context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown describes network fetching, translation requests, and writing PDF output to a fixed path, but it does not warn users about these side effects or request informed consent. This matters because the skill contacts external services and writes files outside an obvious local project output area, which can surprise users and violate environment or privacy expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends article text and vocabulary to Google Translate over the network without explicit disclosure, consent, or an option to disable external transmission. In agent environments, silent third-party data sharing can leak scraped content, proprietary text, or user-derived material to external services, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes output to /tmp and then copies it to a fixed workspace path without confirmation. In a shared or automated environment this can expose generated content to unintended locations, overwrite existing files, and make data handling less predictable for operators.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal