ClawHub

Feeds Digest

Security checks across malware telemetry and agentic risk

Overview

This is a coherent RSS digest skill with expected network access, optional LLM summarization, and local cache files, but users should understand the privacy tradeoffs before enabling LLM summaries.

Install only if you are comfortable with this skill fetching configured feeds and writing local cache/history files. Do not use --llm with private or sensitive feeds unless you are comfortable sending the digest content to the configured provider; use Ollama for local-only summarization. Consider pinning dependencies or using a lockfile in controlled environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Tainted flow: 'url' from os.environ.get (line 109, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}

    try:
        r = requests.post(url, json=payload, timeout=120)
        r.raise_for_status()
        data = r.json()
        return data.get("response", "")
Confidence
98% confidence
Finding
r = requests.post(url, json=payload, timeout=120)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and appears to rely on network access, environment access, and file output, but the manifest shown in SKILL.md does not declare permissions or equivalent capability constraints. That creates a security transparency gap: users and platforms cannot accurately evaluate what the skill may access, which increases the risk of over-privileged execution, unexpected data exposure from environment variables, and unintended file writes.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The module does more than a transient deduplication cache: it appends a daily JSONL history containing feed item titles, links, publication times, and source names to disk. Persistent collection of activity/history data increases privacy and data-retention risk, especially because it is stored automatically in a user home cache path without any visible consent, retention control, or access-hardening.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The docstring states the module is only for deduplication cache behavior, but the code also writes persistent history logs of feed content. This mismatch hides data-collection behavior from reviewers and users, reducing transparency and making unexpected persistence harder to detect or audit.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises optional LLM summarization using Perplexity/OpenAI/Ollama but does not warn that feed titles, descriptions, or other content may be transmitted to an external provider. Users may enable the feature without understanding the data-sharing and privacy implications, especially if feeds include proprietary, internal, or sensitive sources.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When --llm is enabled, the tool sends the generated digest content to an external LLM provider, which may include feed content, URLs, titles, or other data the user did not intend to disclose. This is not code-execution dangerous, but it is a real privacy and data-handling risk because the CLI does not give an explicit transmission warning or require confirmation at the point of use.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The code silently appends feed metadata to a daily history file with no user-facing notice, toggle, or warning. Even though the data is not highly sensitive by itself, it can reveal reading interests, monitoring targets, and usage patterns over time, which is a privacy issue in an aggregation skill.

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0.10
requests>=2.31.0
click>=8.1.7
pyyaml>=6.0.1
Confidence
96% confidence
Finding
feedparser>=6.0.10

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0.10
requests>=2.31.0
click>=8.1.7
pyyaml>=6.0.1
python-dateutil>=2.8.2
Confidence
96% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0.10
requests>=2.31.0
click>=8.1.7
pyyaml>=6.0.1
python-dateutil>=2.8.2
Confidence
95% confidence
Finding
click>=8.1.7

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0.10
requests>=2.31.0
click>=8.1.7
pyyaml>=6.0.1
python-dateutil>=2.8.2
Confidence
97% confidence
Finding
pyyaml>=6.0.1

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
click>=8.1.7
pyyaml>=6.0.1
python-dateutil>=2.8.2
Confidence
95% confidence
Finding
python-dateutil>=2.8.2

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
75% confidence
Finding
requests

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
86% confidence
Finding
pyyaml

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal