Back to skill

Security audit

tech-news-bulletin

Security checks across malware telemetry and agentic risk

Overview

The skill is a real tech-news email bulletin, but it can automatically send email from the user's SMTP account to hard-coded recipients and shares article text with a fixed HTTP summarizer.

Review and edit EMAIL_ADDRESSES before setting SMTP credentials or running the skill. Only enable the cron job if recurring outbound email is intended, and only use the fixed Ollama endpoint if you trust it to receive article text and possible feed content. Treat /tmp/openclaw-debug.log as containing digest content until logging is reduced or redirected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Tainted flow: 'text' from requests.get (line 279, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
try:
        logging.debug(f"Summarizing article with Ollama: {text}...")
        resp = requests.post(
            "http://172.20.86.203:11434/api/generate",
            json={
                "model": model,
Confidence
92% confidence
Finding
resp = requests.post( "http://172.20.86.203:11434/api/generate", json={ "model": model, "prompt": ( f"Summarize this

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill uses sensitive capabilities including environment variables and outbound network access, but does not declare corresponding permissions. This weakens transparency and policy enforcement, making it harder for users or the platform to understand that the skill can access SMTP credentials and communicate with external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior understates materially important actions: fetching third-party content, sending article content to an external LLM endpoint, and emailing to configured recipients. This mismatch can cause unreviewed data exfiltration or unintended outbound actions because users may invoke the skill without realizing their content and credentials will be used in broader ways than described.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script contains a hard-coded list of recipient email addresses and will automatically send the compiled digest to them whenever SMTP credentials are present. That creates an exfiltration path to fixed third parties that is stronger than a user-configured mailing feature and is risky because fetched and generated content is distributed without runtime confirmation or tenant-specific control.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill does not prominently warn users that it will send emails to configured recipients and transmit collected content over SMTP and other network channels. In a skill that automatically aggregates and distributes content, lack of clear notice increases the risk of unintended disclosure, surprise outbound messaging, and misuse of stored SMTP credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code transmits article contents to an external summarization service without any user-facing notice, policy check, or consent mechanism. Even if the target is an internal host, this is still a disclosure risk because raw fetched content leaves the immediate processing path and may be logged, retained, or inspected by another service.

Ssd 3

Medium
Confidence
96% confidence
Finding
The script logs raw article text before summarization and later logs the full generated HTML digest, both to a plaintext file in /tmp. This can expose fetched content, embedded sensitive strings, recipient-facing output, and model responses to other local users or processes, especially because /tmp is a shared location on many systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.