ClawHub

AI DeepNews

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears to do what it claims—fetch public AI news, translate it, and write a digest—but users should notice it installs Python packages and surfaces third-party feed text to the agent.

This looks safe for its stated purpose. Before installing, be aware that it downloads Python dependencies, contacts public RSS feeds and Google Translate, and saves a local digest/cache. Treat generated news text and links as untrusted content rather than commands for the agent to follow.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI01: Agent Goal Hijack
Low
What this means

A malicious or compromised feed item could include text that tries to influence the agent if the digest is later acted on automatically.

Why it was flagged

The script copies third-party RSS titles and summaries into the Markdown digest. This is expected for the skill, but RSS content is untrusted text that should not be treated as agent instructions.

Skill content
summary = entry.get("summary", entry.get("description", "")) ... lines.append(f"> {trans['summary'][:200]}")
Recommendation

Use the digest as informational content only, and require explicit user confirmation before following any instructions, links, or requests embedded in article text.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the skill may download dependency versions that were not fully locked in the artifact set.

Why it was flagged

The setup installs public Python packages; feedparser is not version-pinned and googletrans is a release-candidate dependency. This is a normal setup pattern for the skill, but it leaves dependency provenance to the package registry at install time.

Skill content
python3 -m venv venv && ./venv/bin/pip install feedparser googletrans==4.0.0-rc1
Recommendation

Install in the shown virtual environment, review dependency versions if supply-chain control matters, and consider pinning all packages before use.