ClawHub

Newspulse

Security checks across malware telemetry and agentic risk

Overview

This skill does not appear to steal data or damage systems, but it advertises real-time crypto news while its main news command displays mock headlines as if they were current.

Install only if you are comfortable treating the main news output as demo or sample data. Do not rely on it for trading, market monitoring, or alerts unless the maintainer clearly implements live fetching and labels mock mode; independently verify any crypto news it reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill advertises real-time cryptocurrency news aggregation, but the implementation only renders hard-coded mock items and provides no live fetch, aggregation, or push functionality. This is a deceptive implementation issue that can mislead users and downstream agents into making decisions based on stale or fabricated data, which is especially risky in a financial/crypto context.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The header comments state that data comes from RSS feeds and public APIs, but the runtime path never uses those sources and instead serves mock data. This documentation-to-code mismatch undermines trust and can cause consumers to treat synthetic output as live market intelligence, creating a meaningful integrity risk in a trading/news workflow.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "@gztanht",
  "license": "MIT",
  "dependencies": {
    "node-fetch": "^3.3.2"
  },
  "repository": {
    "type": "git",
Confidence
84% confidence
Finding
"node-fetch": "^3.3.2"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal