ClawHub
Back to skill

Security audit

Auto news podcast

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it reuses broad local credentials and can automatically run other installed skills, so it needs review before installation.

Install only if you are comfortable with this skill reading OpenClaw model configuration and API keys, sending search terms/news text/prompts to external search and model providers, downloading remote images, and invoking separately installed helper skills. Use limited-scope API keys, verify model base URLs, and avoid pairing it with untrusted helper skills.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import subprocess
            script_path = os.path.join(autoglm_skill, 'scripts', 'generate.py')
            if os.path.exists(script_path):
                result = subprocess.run(
                    [sys.executable, script_path,
                     '--prompt', prompt,
                     '--output', output_path],
Confidence
89% confidence
Finding
result = subprocess.run( [sys.executable, script_path, '--prompt', prompt, '--output', output_path], c

Tainted flow: 'headers' from os.getenv (line 1682, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
'stream': False
        }
        
        response = requests.post(
            f'{api_base}/chat/completions',
            headers=headers,
            json=data,
Confidence
84% confidence
Finding
response = requests.post( f'{api_base}/chat/completions', headers=headers, json=data, timeout=120 )

Tainted flow: 'data' from input (line 1217, user input) → requests.post (network output)

Medium
Category
Data Flow
Content
'stream': False
        }
        
        response = requests.post(
            f'{api_base}/chat/completions',
            headers=headers,
            json=data,
Confidence
81% confidence
Finding
response = requests.post( f'{api_base}/chat/completions', headers=headers, json=data, timeout=120 )

Tainted flow: 'img_url' from requests.get (line 2193, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
img_url = urljoin(url, img_url)
                    
                    # 下载图片
                    img_response = requests.get(img_url, headers={
                        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
                        'Referer': url
                    }, timeout=15)
Confidence
96% confidence
Finding
img_response = requests.get(img_url, headers={ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Refere

Tainted flow: 'img_url' from requests.get (line 2285, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
if data.get('results'):
                        for img in data['results']:
                            img_url = img['urls']['regular']
                            img_data = requests.get(img_url, timeout=15).content
                            if len(img_data) >= 10240:
                                with open(cover_path, 'wb') as f:
                                    f.write(img_data)
Confidence
95% confidence
Finding
img_data = requests.get(img_url, timeout=15).content

Tainted flow: 'img_url' from requests.get (line 181, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
img_url = urljoin(url, img_url)
                    
                    # 下载图片
                    img_response = requests.get(img_url, headers={
                        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
                        'Referer': url
                    }, timeout=15)
Confidence
95% confidence
Finding
img_response = requests.get(img_url, headers={ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Refere

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill invokes another local skill script through subprocess for audio generation, which expands execution scope beyond simple content generation into arbitrary local program execution. Even if intended for TTS, subprocess use increases the attack surface because downstream scripts may process untrusted text, write files, or have their own unsafe behavior.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill instructs use of ffmpeg for audio concatenation, introducing shell or external process execution into a workflow that already handles variable user-derived content and file paths. While media processing is relevant to podcast creation, external command execution still creates risk if filenames, temporary paths, or concat lists are not strictly controlled.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
The skill reads global OpenClaw configuration from the user's home directory to discover model providers and API keys, which exceeds the user-visible task of generating a news podcast. Accessing global config and secrets increases sensitivity because the skill can enumerate or misuse credentials unrelated to the immediate task.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill reads broad global OpenClaw configuration, including model provider settings and potentially API credentials unrelated to the specific user request. In a skill ecosystem, that is dangerous because an otherwise simple content-generation skill gains access to cross-agent secrets and infrastructure configuration well beyond least privilege.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The module executes a Python script from a user-home skill directory (~/.agents/skills/autoglm-generate-image), which is a mutable local path outside the module's control. If that directory or script is replaced or tampered with, running this function will execute attacker-supplied code with the current user's privileges.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This image-search component silently chains into a separate AI image-generation skill, which is a broader capability than simple image retrieval. That increases attack surface and can surprise users by executing code from another skill package with its own dependencies and behaviors.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill automatically creates directories and multiple output files under the workspace without a prominent upfront warning or explicit confirmation. In context this is related to the skill's purpose, so it is less severe than arbitrary file writes, but silent writes can still surprise users and overwrite expectations about local state.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill silently reads sensitive API keys from configuration and environment and later uses them in outbound requests, without clear disclosure to the user. In a multi-skill environment, this is a privacy and trust-boundary issue because a content skill can consume ambient credentials the user did not knowingly authorize it to use.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
User search terms are sent to external search providers without an explicit privacy warning or opt-in. Even if the skill's functionality implies search, queries may reveal sensitive interests, organizations, or topics the user did not expect to share with third parties.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Collected news content and generated prompts are bundled and sent to an external LLM provider without explicit disclosure. This is risky because the LLM endpoint may retain prompts, and the skill dynamically selects providers from a broad local configuration rather than a clearly disclosed fixed service.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The full generated script text is sent to external or helper TTS components without clear user warning. That script may contain sensitive topics, user-provided phrasing, or aggregated content the user did not expect to leave the local environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/fetch_and_generate_v2.py:268

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:767