ClawHub

News Curator

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent personal news automation, but it schedules automatic outbound delivery to a hard-coded Telegram chat and should be reviewed before installation.

Review and change the Telegram destination before enabling this skill. Only install it if you are comfortable with scheduled cron runs making outbound RSS requests and automatically sending generated briefings to Telegram without a manual approval step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly configures automatic delivery of generated content to Telegram (`delivery.mode: "announce"` and a fixed recipient chat ID) without any user-facing disclosure or confirmation step. That creates a data egress path to an external service, and because the content is assembled from live feeds and model output, misconfiguration or prompt drift could result in unintended or sensitive content being transmitted automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to use `exec` with `curl` to fetch multiple external RSS feeds, but it does not present a user-facing warning that the skill will make outbound network requests. Network-capable shell execution increases risk because it enables uncontrolled external access, can expose metadata such as IP/user-agent, and broadens the impact if the feed list or commands are later modified maliciously.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal