ClawHub

热点收集雷达

Security checks across malware telemetry and agentic risk

Overview

This skill does hotspot crawling as advertised, but it has under-disclosed credential handling and can send collected reports to hard-coded Feishu destinations.

Review before installing. Only use this if you are comfortable with broad news/social-site crawling, local archives, and Feishu API use. Do not provide Feishu or Instagram credentials until the skill is changed to use secure secret storage, user-configured Feishu destinations, honored platform allowlists, and explicit confirmation before sync or notification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Tainted flow: 'app_js' from requests.get (line 9, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
app_js = [j for j in js_files if 'app' in j.lower()][0]
print(f'App JS: {app_js}')

j = requests.get(app_js, timeout=10)
text = j.text

# 找所有 URL 或路径字符串
Confidence
95% confidence
Finding
j = requests.get(app_js, timeout=10)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The module claims the Feishu token is sourced from encrypted OpenClaw storage, but the implementation actually loads a bearer token from a predictable local JSON file in the workspace. This mismatch weakens operator trust and can expose credentials to local disclosure, accidental commits, or insecure filesystem permissions, especially since the token is then used for authenticated outbound API calls.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The helper named as HTML cleanup decodes entities like < and > back into raw angle brackets, which can reintroduce HTML or Markdown-injected content into the generated report. In this module, titles and excerpts from external sources are inserted into Markdown output, so untrusted content could render as active HTML in downstream viewers that allow embedded HTML.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README instructs users to initialize a Feishu token and run modes that sync data to Feishu tables and send notifications, but it does not warn about credential sensitivity, token storage/handling, or that collected data will be transmitted to external services. In an agent skill context, this can lead users to execute data-exporting workflows without informed consent, increasing the risk of credential misuse or unintended disclosure of collected content.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are overly broad and map to common user intents such as '热点分析' and '生成日报', which can cause the skill to activate in situations where the user did not specifically intend multi-platform crawling, analysis, or outbound reporting. In this skill's context, that increases the chance of unintended external access and data handling, especially because the skill also supports browser-based collection and Feishu delivery.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not clearly warn users that it may access external platforms, use browser-based scraping for JavaScript-rendered sources, write collected data to local files, sync to Feishu Bitable, and push reports to Feishu private chats. Without explicit notice and consent, users may unknowingly trigger network access, storage, and third-party transmission of potentially sensitive monitored keywords, competitive intelligence, or generated reports.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill sends scraped titles, links, and metadata to Feishu over the network without any explicit consent gate, warning, or configuration flag indicating that data will leave the local environment. In a data-collection workflow, this can cause unintended exfiltration of potentially sensitive or restricted content to a third-party SaaS platform under an existing bearer token.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The code reads a user-provided Instagram session cookie from local config and sends it in an authenticated request to Instagram's private API path. While the destination is the expected Instagram domain rather than an unrelated third party, transmitting session credentials through this crawler increases exposure risk, especially because proxy use is enabled and the code path lacks strong safeguards, consent flow, or secret-handling controls.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal