FeedTo

Security checks across malware telemetry and agentic risk

Overview

FeedTo is a disclosed integration that uses a FeedTo API key, a local queue, and a background listener to deliver browser feeds into OpenClaw.

Install this only if you want FeedTo items delivered automatically into OpenClaw. Keep the FeedTo API key revocable, expect a background listener plus cron task to run, and remember that feed contents are stored locally until drained and should be treated as untrusted external text.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly describes a persistent outbound realtime listener, fallback polling, and writing feed data into a local inbox, but it does not clearly warn users that the skill maintains continuous network connectivity and stores incoming data on disk. This can lead to uninformed deployment in environments with strict privacy, monitoring, or data retention requirements, increasing the risk of accidental exposure of sensitive feed contents or policy violations.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal