ClawHub

Briefing Diario

Security checks across malware telemetry and agentic risk

Overview

This daily briefing skill is coherent and purpose-aligned, with ordinary privacy cautions because it contacts public APIs for weather, currency, and holiday data.

Install if you are comfortable with the agent contacting public services to build the briefing. Use an explicit command such as "briefing diário" and consider avoiding the broad "dia" trigger if accidental invocation or location disclosure is a concern.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill metadata says it should trigger on 'briefing diário' or 'briefing', but later text says it can be triggered via 'dia', 'resumo do dia' or 'briefing'. This inconsistency broadens activation beyond the user-facing contract and can cause unintended invocation, which may lead to unexpected external API calls and disclosure of location-derived context.

Vague Triggers

Low
Confidence
96% confidence
Finding
The file presents conflicting activation guidance across the front matter and the observations section, making it ambiguous when the skill should run. Ambiguous activation increases the chance of accidental execution, especially in conversational settings where common words may appear naturally.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to identify the user's city and query third-party services using latitude/longitude and timezone-related context, but it does not warn the user that this context will be sent externally. This creates a privacy risk because location-derived information and usage timing may be disclosed to external providers without informed consent.

External Transmission

Medium
Category
Data Exfiltration
Content
**Clima e Astronomia:**
Use o endpoint da Open-Meteo:
```
https://api.open-meteo.com/v1/forecast?latitude=-19.9208&longitude=-43.9378&daily=uv_index_max,sunset,sunrise&hourly=precipitation_probability&current=temperature_2m,relative_humidity_2m,apparent_temperature,weather_code,wind_speed_10m&timezone=auto
```

Extraia e mapeie:
Confidence
97% confidence
Finding
https://api.open-meteo.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal