ClawHub

Site Feeds

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed feed-fetching helper, but it can set up third-party tools, a local Docker service, and persistent feed subscriptions if the user approves.

Install this if you want an agent to fetch public feed-style updates and you are comfortable reviewing and setting up RSSHub and airsstool. Confirm before any Docker deployment, .env edits, database initialization, or subscription deletion, and use a custom database path if feed interests or subscription names are sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill materially expands from a read-only content retrieval tool into system administration tasks: deploying Docker services, creating local files, initializing a database, and maintaining persistent state. That increases the attack surface and can cause the agent to make host-level changes unrelated to the user's immediate request, which is risky for a skill whose manifest frames it as simply fetching updates from websites.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The subscription creation, deletion, and path-management commands introduce persistent data mutation beyond the declared purpose of fetching site content. Even if intended as convenience features, they allow an agent to alter local state and user data stores, creating opportunities for unwanted persistence, accidental destructive actions, or misuse under broad invocation conditions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to deploy Docker services, create configuration files, and modify compose settings, which are privileged local-environment actions not necessary for many feed-fetching scenarios. These steps can lead to unauthorized infrastructure changes, exposure of services, persistence on the host, and handling of sensitive configuration values such as environment variables.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Database initialization and subscription administration extend the skill into persistent storage management rather than transient content retrieval. Persistent state creates a longer-lived security footprint and increases the chance of unintended retention, cross-session effects, or corruption/deletion of user-managed data.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The top-level description is broad enough to activate on many common requests about websites and online content, which increases the chance the agent invokes a skill that can perform local setup and persistent state changes in contexts where the user only wanted informational help. Over-broad routing becomes more dangerous here because the skill is not purely read-only.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation guidance uses expansive triggers like 'what's new on' and 'show me updates from' without stating that the skill may install software, deploy services, or manage subscriptions. Ambiguous activation criteria can cause the agent to escalate from a simple content question into actions that modify the local environment or create persistent state.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal