ClawHub

News Summary Litiao

Security checks across malware telemetry and agentic risk

Overview

This is a coherent news-summary skill with an optional voice mode that sends the generated summary to OpenAI for text-to-speech.

Safe for ordinary public news summaries. Before installing, confirm the package identity because bundled metadata differs from the registry listing, and use voice output only when you are comfortable sending the generated summary text to OpenAI and creating a temporary audio file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill offers a voice-summary workflow that sends generated summary text to an external API and writes the resulting audio to /tmp/news.mp3, but this data flow is not disclosed in the skill description or accompanied by consent guidance. In contexts where summaries may include user-provided or sensitive content, this can lead to unintended third-party transmission and local artifact creation without clear notice.

External Transmission

Medium
Category
Data Exfiltration
Content
3. Send as audio message

```bash
curl -s https://api.openai.com/v1/audio/speech \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
92% confidence
Finding
curl -s https://api.openai.com/v1/audio/speech \ -H "Authorization: Bearer $OPENAI_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
3. Send as audio message

```bash
curl -s https://api.openai.com/v1/audio/speech \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
92% confidence
Finding
https://api.openai.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal