ClawHub

Toutiao Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for Toutiao publishing, but it can reuse saved login sessions and publish automatically with insufficiently clear confirmation and session-control safeguards.

Install only if you intend to let an agent operate a logged-in Toutiao publisher account. Review where browser state is stored, clear it when done, and require the agent to show the title, content, cover image, and final action for explicit approval before any live publish.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)

                # Install requirements
                result = subprocess.run(
                    [str(self.venv_pip), "install", "-r", str(self.requirements_file)],
                    check=True,
                    capture_output=True,
Confidence
84% confidence
Finding
result = subprocess.run( [str(self.venv_pip), "install", "-r", str(self.requirements_file)], check=True, capture_output=True

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Install Chrome for Patchright (not Chromium!)
                print("🌐 Installing Google Chrome for Patchright...")
                try:
                    subprocess.run(
                        [
                            str(self.venv_python),
                            "-m",
Confidence
79% confidence
Finding
subprocess.run( [ str(self.venv_python), "-m", "patchright",

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented primarily as an interactive browser-based publisher, but it also exposes fully automated headless submission using title, content, and cover inputs. This discrepancy can mislead reviewers or users about the true level of autonomy, causing them to underestimate the risk of unattended posting, bulk misuse, or covert content publication through a persisted authenticated session. Because the skill maintains login state, hidden automation is more dangerous than in a stateless tool.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The documentation says the user manually writes and publishes the article, but later states the process can be fully automated. This inconsistency obscures the actual behavior of the skill and can cause operators to authorize it under the assumption that all final publication steps remain human-driven. In an authenticated publishing context, that mismatch weakens informed consent and review accuracy.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes automated publishing, local file upload, and persistent browser/session storage, but does not warn users that authentication state, cookies, local drafts, and uploaded content may remain on disk or be reused unexpectedly. In an agent skill that can publish externally, omission of these privacy and persistence implications increases the risk of unintended disclosure or account misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The natural-language examples encourage the agent to generate and directly publish content, including user-provided text and local files, without an explicit confirmation step or warning that posting to Toutiao is an external, potentially irreversible action. In an agent context, this raises the chance of accidental publication, reputational harm, or disclosure of sensitive material through overly broad or misunderstood prompts.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Triggering on any mention of 'toutiao' or '头条号' is overly broad and may activate the skill in contexts that are informational, comparative, or unrelated to publishing. Overbroad activation increases the chance that the agent invokes shell-backed browser automation and touches persistent authentication state when the user did not intend an action. In a skill capable of authenticated posting, accidental invocation has higher consequence than for a read-only helper.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code loads cookies from a local persisted state file and injects them directly into a live browser session, which can silently rehydrate authenticated sessions. In a publishing skill that manages persistent authentication, this increases the chance of account misuse or unintended cross-user/session access if the state file is stale, shared, tampered with, or insufficiently protected.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal