ClawHub
Back to skill

Security audit

news-aggregator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed news aggregation helper that sends news searches and summaries through the SkillBoss API, with no hidden scripts or persistence found.

Install only if you are comfortable sending news queries and retrieved search-result text to SkillBoss for processing. Use a dedicated, rotatable SkillBoss API key and avoid placing private, internal, or sensitive material into news queries or summarization prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly sends collected search results to an external chat API for summarization, but it does not warn the user that retrieved content may be transmitted to a third-party service. This creates a data-handling and privacy risk, especially if search results include sensitive queries, internal URLs, or user-provided material.

External Transmission

Medium
Category
Data Exfiltration
Content
API_BASE = "https://api.skillbossai.com/v1"

def pilot(body: dict) -> dict:
    r = requests.post(
        f"{API_BASE}/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json=body,
Confidence
86% confidence
Finding
requests.post( f"{API_BASE}/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
import requests, os

SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]
API_BASE = "https://api.skillbossai.com/v1"

def pilot(body: dict) -> dict:
    r = requests.post(
Confidence
80% confidence
Finding
https://api.skillbossai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.