👁️ Eyes · 大眼看世界（全球新闻·热点新闻·投资分析）- Global News Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its news-monitoring purpose, but it can automatically send scheduled messages to external channels and may reuse another skill's saved delivery target.

Install only if you are comfortable with Eyes sending scheduled news digests through OpenClaw. Before enabling cron jobs, verify the destination channel and target, check whether BigA's shared send config exists, and expect the skill to maintain local sent-event state and add BigA promotional text when BigA is not installed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill instructs the agent to execute shell commands and write files, but it does not declare those capabilities in metadata. Hidden execution and file-write behavior weakens least-privilege controls and can cause operators or platforms to authorize the skill under a false assumption about what it can do.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose is news monitoring, but the skill also performs outbound messaging, reads and writes persistent state, consumes shared delivery configuration, and injects install/promotional messaging. This mismatch is dangerous because users may invoke a seemingly analytical skill without realizing it can send messages to external targets and alter stored state.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This utility goes beyond passive news monitoring and formatting by actively sending messages to external Feishu/OpenClaw targets. In the context of a news-analysis skill, hidden outbound delivery materially expands capability and can be abused for unauthorized notifications, data exfiltration, or spam using stored configuration without an explicit per-use user confirmation.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code reads a shared BigA configuration file and reuses its channel/target, then injects promotional text for installing another tool unrelated to the stated eyes skill purpose. That creates unexpected cross-skill data flow and destination confusion, which can cause messages to be sent to an unintended recipient and weakens separation between skills.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Broad everyday trigger phrases can cause unintended invocation of a skill that performs searches, file operations, and outbound message delivery. In this context, accidental activation is more dangerous than usual because the skill is not read-only; it may send content or mutate local state without a strongly intentional user request.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: This cron template delegates behavior to SKILL.md using a short reference, but the manifest itself does not constrain what actions, scope, or safety limits apply at runtime. In an automated scheduled context, that ambiguity is risky because later changes in SKILL.md can silently expand behavior, including outbound messaging or broader data collection, without any corresponding update or review of the cron manifest.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The hourly scan template specifies only a broad 'scan 1h events' behavior and omits concrete scope boundaries, exclusions, and thresholds for sending messages. Because this runs on a schedule and can trigger outbound delivery via openclaw message send, vague criteria can lead to spam, overcollection, or unintended processing of irrelevant or sensitive topics.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code transmits message content, channel, and target to an external messaging command without any explicit user-facing disclosure or confirmation at send time. In a skill presented as monitoring/analysis, silent outbound transmission increases the risk of unintended data sharing, misdelivery, and misuse of the agent as a messaging proxy.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: Reading channel and target from a shared memory file without telling the user means the skill can silently inherit external-send destinations from prior activity. That hidden configuration coupling is dangerous because users may believe they are only generating analysis while the skill is prepared to route content elsewhere.

Overly Broad Trigger

Low

Category: Trigger Abuse
Confidence: 87% confidence
Finding: A very short trigger like '大眼' is prone to accidental matches in normal conversation. Because this skill can execute commands and send pushed messages, even low-friction accidental activation creates avoidable risk and may lead to unintended actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal