ClawHub

Clawfeed

Security checks across malware telemetry and agentic risk

Overview

ClawFeed is a coherent news-digest server, with some documentation and operational hygiene issues users should review before exposing it beyond localhost.

Install only if you are comfortable running a local Node server with SQLite. Set strong API_KEY and SESSION_SECRET values before enabling write or OAuth features, do not reuse the documented staging key, avoid exposing the service publicly without authentication and reverse-proxy controls, disclose or disable Lark feedback forwarding, and run test scripts only on a dedicated test database.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (12)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documentation explicitly claims the tool runs in 'read-only mode with zero credentials,' yet later documents unauthenticated POST /api/digests and PUT /api/config endpoints. This mismatch can mislead operators into deploying the service with weaker protections than required, enabling unauthorized state changes or reconfiguration.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The credentials section says authentication features require extra credentials, but the API table later shows unauthenticated configuration update capability. That inconsistency can cause administrators to assume only optional user-facing auth needs protection while leaving configuration-changing routes exposed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation describes write-capable endpoints without authentication and without warning about their ability to alter application state. Even in documentation, presenting unsafe defaults for config updates and digest creation increases the likelihood of insecure deployment and unauthorized modifications.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The document discloses a hardcoded staging API key and shows exactly how to use it in requests. Even though it is labeled as staging, exposed credentials are often reused, copied into other environments, or abused to modify test data and pivot into broader internal access, especially since the document also states auth is disabled for testing.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The quick-start command runs setup, end-to-end tests, and teardown in one line, and the document elsewhere states that setup directly injects test users and sessions into SQLite. Without a prominent warning that this modifies and deletes database state, a user could accidentally point AI_DIGEST_DB at a non-test database and cause unintended data creation or cleanup. The skill context increases risk because the docs explicitly encourage direct database manipulation and destructive cleanup operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The PRD explicitly plans automatic collection of page URL, browser user agent, and login status, but does not mention any user notice, consent mechanism, minimization, or retention controls. This can expose sensitive contextual data in bug reports, especially if URLs or login-state fields reveal internal routes, identifiers, or account information, and the risk is higher because the feature is meant to run broadly across application pages.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document allows submitted feedback to be forwarded to a Lark webhook without warning that report contents and screenshots may leave the primary system and be delivered to an external messaging platform. This creates a realistic risk of unintended disclosure of internal application data, URLs, screenshots, or user context to a broader audience than expected.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The PRD states that submitted feedback details, including username, email, message excerpt, and timestamp, are sent to a Lark group via webhook, but it does not document any user-facing notice, consent, or data-minimization control. This creates a real privacy and data-governance risk because potentially sensitive user content is disclosed to a third-party messaging system and a wider audience than the primary product datastore.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The planned enhancement explicitly mentions automatic collection of page URL and browser information, but the PRD does not mention transparency, consent, or limits on what may be captured. URLs and browser metadata can contain sensitive tokens, internal paths, or identifying information, so silent collection increases privacy exposure and the chance of over-collection beyond what users expect from a feedback feature.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The PRD proposes collecting sensitive, user-specific Twitter data such as For You, Favorites, and Bookmarks, but does not define explicit user consent UX, retention limits, access controls, or privacy disclosures. Because these data types can reveal personal interests and behavior patterns, implementing them without strong privacy guardrails could result in overcollection, unauthorized access, or regulatory/privacy violations.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The feedback endpoint forwards user name, email, and message content to an external Lark webhook, creating a data-sharing path to a third party. Even if intentional for notifications, sending potentially sensitive user-submitted content externally without explicit notice, consent, minimization, or validation introduces privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script directly inserts test users and active sessions into whatever SQLite database path is provided by AI_DIGEST_DB, with no guardrails, confirmation, or environment check. If a user points it at a non-test or production database, it can contaminate live data and create usable authentication sessions for fixed test accounts, which is a real security and integrity risk even if intended for testing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal