ClawHub

Insight Radar (洞察雷达)

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a coherent instruction-only news briefing skill, with the main things to review being its persistent local memory writes, web lookups, and dependency skills.

This looks reasonable for a personalized news-intelligence workflow. Before installing, review the two dependency skills, check what personal details are in USER.md, confirm the news categories you want searched, and inspect any separate scheduler or Feishu integration before enabling external delivery.

SkillSpector

By NVIDIA

SkillSpector has not run for this release. Legacy ClawScan findings remain available under Risk analysis.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

Search queries and fetched article URLs/content may be sent to the agent's web tools.

Why it was flagged

The skill explicitly uses external web tools to search for news and fetch article content; this is expected for a news intelligence workflow.

Skill content
network:
    - WebSearch  # Search recent news via web search API
    - WebFetch  # Fetch article content for URL validation
Recommendation

Review the configured news categories and avoid putting private or sensitive interests into search categories if you do not want them sent to web search tools.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The effective behavior depends partly on those dependency skills, not just this package.

Why it was flagged

The skill relies on two separately installed skills that are not part of this artifact set.

Skill content
clawhub install kedoupi/core-prism
clawhub install kedoupi/news-source-manager
Recommendation

Review and trust the core-prism and news-source-manager skills before relying on this workflow.

#
ASI06: Memory and Context Poisoning
Low
What this means

Personal context may shape the briefing, and web-derived analysis can persist into future memory files if reused by the agent.

Why it was flagged

The skill reads personal context and writes persistent local memory/knowledge-base files.

Skill content
read:
      - USER.md  # User context for [E] Execution personalization
      - memory/news-sources.json  # News category config
    write:
      - memory/news-log/
      - memory/knowledge-base/concepts.md
      - memory/knowledge-base/patterns/*.md
Recommendation

Keep USER.md limited to information you are comfortable using for personalization, and periodically review or prune the generated memory/news-log and knowledge-base files.

#
ASI07: Insecure Inter-Agent Communication
Info
What this means

If a separate scheduler or caller sends the generated briefing to Feishu, personalized briefing content could leave the local workspace.

Why it was flagged

The README references optional external delivery/storage via Feishu, while the skill itself states external delivery is handled by a caller.

Skill content
6. (Optional) Write to Feishu Bitable
Recommendation

Before enabling any HEARTBEAT, Feishu, or scheduled delivery integration, review that caller's configuration and credentials separately.