ClawHub

Ai Cv Weekly

Security checks across malware telemetry and agentic risk

Overview

This report-generation skill is mostly coherent, but its external-skill proxy can execute arbitrary configured Python modules/functions without an allowlist or sandbox.

Install only if you trust the publisher and will control which sources are enabled. Avoid using skill_proxy with untrusted module names or functions, because it can run local Python code under the agent's privileges. In standalone mode, assume user prompts, profile preferences, and fetched report material may be sent to the configured LLM provider; rendered reports are also saved locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
try:
        mod = importlib.import_module(skill_module)
        fn = getattr(mod, skill_function)
    except (ImportError, AttributeError) as e:
        logger.error("skill_proxy: failed to import %s.%s: %s", skill_module, skill_function, e)
        return make_result(source_label, [])
Confidence
95% confidence
Finding
fn = getattr(mod, skill_function)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This registry entry exposes a generic proxy that can invoke an arbitrary installed Python skill module by configurable module path and function name. In a plugin ecosystem, that effectively widens the trust boundary from a fixed adapter allowlist to any locally installed skill, creating a strong code-execution and unsafe-capability escalation path if untrusted or overly powerful modules are present.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
This adapter intentionally performs dynamic import and execution based entirely on runtime configuration, with no visible trust boundary, allowlist, signature verification, or sandboxing. If an attacker can modify config or influence the runtime environment/PYTHONPATH, they can cause arbitrary module import side effects and call attacker-chosen functions, resulting in full code execution under the agent's privileges.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module docstring states that items without a published timestamp are discarded, but the implementation only filters items when published_datetime is present and out of range. As a result, undated items are silently accepted, which can bypass freshness constraints and allow stale or untrusted content to flow through the pipeline despite the documented guarantee.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented `skill_proxy` source enables callers to specify arbitrary external skill modules and functions for execution, effectively turning a reporting skill into a generic code/integration dispatcher. This breaks capability boundaries and can lead to unintended execution of untrusted modules, data exfiltration, or invocation of higher-risk skills through a seemingly low-risk interface.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module docstring materially understates the module's behavior by claiming it only performs data fetching, deduplication, and rendering, while plan_report also attempts to load and return user profile data. This kind of misleading documentation can hide privacy-relevant behavior from reviewers and integrators, increasing the chance of unintended personal data exposure.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
plan_report reads a user profile from settings.user_profile_path and returns the full dumped profile to the caller, even though the function's stated purpose is intent parsing and source suggestion. This creates unnecessary access to potentially sensitive personal data and broadens exposure to any caller of the tool without clear need-to-know controls.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The planner injects the full user profile into the system prompt sent to the LLM, which can expose personal or sensitive user data to an external model provider without any visible minimization, consent, or disclosure at this call site. Because this is a planning step, the model may not need the entire profile, so oversharing increases privacy and compliance risk if the profile contains identifying or sensitive information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code sends item titles, sources, and portions of raw text to an external LLM service, which can expose sensitive, proprietary, or personal data if the inputs are not pre-sanitized or if users are unaware of the transfer. In an agent pipeline, this matters because summarization is applied automatically and at scale, increasing the chance that confidential content is transmitted to a third-party processor without adequate consent, minimization, or policy controls.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to fetch data from external sources but does not warn that user queries and derived topic information will be transmitted over the network to third-party services. This can expose sensitive prompts, internal topics, or proprietary research interests without informed user consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents rendering reports to HTML/PDF/PNG/Markdown/JSON files on disk without warning the user that content will be persisted locally. If the report contains sensitive material, this can create unexpected data-at-rest exposure, forensic artifacts, or storage in insecure/shared locations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code silently loads profile data inside a broad try/except and includes it in the returned payload without any user-facing notice. Hidden collection and propagation of profile information undermines informed consent and can leak sensitive preferences or identifiers to downstream components that were only expected to receive report-planning data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal