ClawHub

中国官方经济资讯

Security checks across malware telemetry and agentic risk

Overview

This skill coherently fetches public Chinese economic news, with some setup and source-verification caveats but no evidence of hidden data access or harmful behavior.

Reasonable to install if you want a public-news helper. Be aware that the fallback script may run locally, may require installing Python dependencies, queries Bing China plus listed news sources, and should not be treated as a perfectly guaranteed official-only feed unless its hostname validation and TLS handling are improved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs use of network-capable tools such as web_search and web_fetch, and also a fallback script that retrieves remote content, yet there is no declared permission model visible in the skill file. This creates a real security gap because network access expands the attack surface for unintended outbound requests, data exfiltration, and fetching untrusted remote content without explicit authorization boundaries.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list includes broad phrases such as '财经新闻', '经济政策', and '今日财经', which are common conversational terms and may cause the skill to activate unintentionally. Accidental invocation can lead to unnecessary network access and unexpected retrieval of external content, increasing privacy and operational risk even if the content sources are restricted.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal