Morning Briefing AI News

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AI news briefing helper that fetches public RSS feeds and only saves or automates output when the user explicitly configures that behavior.

Use the explicit /ai-news command where possible. If you enable saving, save to a dedicated folder such as ~/ai-news or ~/.openclaw/ai-news. Only configure the optional cron or Telegram/Discord delivery for non-sensitive briefings and destinations you control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The README suggests invoking the skill with very broad natural-language prompts such as "What's new in AI?" and "Morning AI briefing," which can overlap with ordinary conversation. In agent environments that auto-route or infer skill usage from user text, this can cause unintended skill activation and unexpected external feed access or scheduled behavior, even though the skill itself appears news-focused and not overtly dangerous.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The invocation examples include broad natural-language triggers like "AI news", "morning briefing", and "what's new in AI," which can overlap with ordinary user requests and cause the skill to activate unintentionally. In a user-invocable skill that performs network fetches and can optionally write files, overbroad triggers increase the risk of surprise execution and unintended tool use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal