ClawHub

leesen86-news

Security checks across malware telemetry and agentic risk

Overview

The core news fetcher is reasonable, but the package also contains under-disclosed Feishu message-sending scripts with hardcoded gateway credentials and a default recipient.

Install only if you understand and want the Feishu push scripts. For normal BlockBeats JSON fetching, use new.js only and avoid push-news.js/send-feishu.js. The publisher should remove or rotate the embedded gateway token, document Feishu/gateway permissions, require explicit recipient selection and send confirmation, and replace shell execSync with safer argument-based process execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This finding indicates the actual skill behavior goes beyond the declared scope by sending data through a local Gateway API to Feishu, using hardcoded tokens, account identifiers, and default recipients, while persisting sent IDs locally. Hidden outbound messaging and embedded secrets materially change the trust model: the skill can exfiltrate or broadcast processed data without clear user awareness or consent.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says it fetches and filters crypto news and outputs cleaned JSON for downstream automation, but this code actually sends messages to Feishu. That hidden side effect materially expands the skill's authority from data processing to outbound communication, which can be abused for unauthorized exfiltration, spam, or covert notifications without the caller expecting it.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Instead of producing JSON as declared, the code formats news into a chat-oriented rich text string with markdown links and emojis. This contract mismatch can mislead downstream systems and operators about what the skill does, making it easier to smuggle unreviewed content into messaging workflows or bypass controls built around structured JSON output.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
A news scraping/filtering skill should not also contain outbound messaging capability unless that behavior is explicitly declared and approved. Embedding message delivery creates an unnecessary privilege escalation path: any caller using the skill for data retrieval could trigger communications to fixed or user-supplied targets.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements outbound Feishu messaging, which is unrelated to the stated crypto-news skill purpose of fetching and filtering BlockBeats content. In an agent skill, undeclared communication capability is dangerous because it can be used to exfiltrate fetched data, send spam, or trigger side effects outside the user's expected workflow.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code exposes a generic message-sending primitive to Feishu through a local gateway, taking caller-controlled message content and recipient target. In the context of a news retrieval skill, this unjustified outbound channel expands the attack surface and enables covert data transfer or unauthorized messaging if the skill is invoked by other components.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file header openly states that the script sends Feishu messages, which conflicts with the parent skill's declared news-fetching purpose. Such mismatches are a security concern in agent ecosystems because they hide non-obvious side effects and make it easier for dangerous capabilities to be smuggled into seemingly harmless skills.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded bearer token embedded in source code can be extracted by anyone with code access and reused to invoke the local gateway's messaging tool. Even if the gateway binds to localhost, local compromise, code leakage, logs, backups, or repository exposure can turn this into credential theft and unauthorized message sending.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code performs outbound HTTP message delivery containing message text and target identifiers without any explicit user disclosure, approval, or policy enforcement. In the context of a skill advertised as data retrieval/JSON output, this makes the behavior especially risky because operators may not realize invoking it causes external communications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The request sends both a bearer token and user-provided message content to an HTTP API without any user-facing disclosure, approval step, or visible safeguards. This is risky because it can silently transmit sensitive data and perform external actions on behalf of the user, especially when embedded in a skill not described as a messaging tool.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal