ClawHub

Hacker News Daily Summary (Bilingual)

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it fetches public Hacker News items, translates titles, writes one local report, and optionally posts that report to Feishu.

Before installing or running, confirm you are comfortable with outbound requests to Hacker News and Baidu Translate, and with optional Feishu posting if you set FEISHU_WEBHOOK. Use a limited Baidu API key where possible, protect the Feishu webhook URL, and note that the script overwrites ~/daily-news.md each run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly states it will write a report to a local file and may send content to external services (Baidu Translate and Feishu), but it does not clearly disclose the privacy, retention, and outbound network implications to users before use. Even though the data appears low sensitivity in this context, undisclosed filesystem writes and third-party transmission can surprise users, expose environment-specific information, or violate organizational policy.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script sends Hacker News titles to Baidu Translate and may send the generated digest to a Feishu webhook, which transmits content to third-party services without any interactive warning or consent gate at runtime. While the news data is public, this behavior can still create privacy, compliance, or unexpected data-sharing risk in environments where outbound transmission must be explicit and controlled.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal