ClawHub

Macro-Information

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real macro-news query skill, but it handles API keys unsafely and has unclear provider/credential instructions, so users should review it before use.

Install only if you are comfortable reviewing and modifying the credential flow. Do not paste an API key into chat; use a scoped, revocable environment variable or secret store instead. Treat the current HTTP endpoint and query-parameter API key handling as unsafe for valuable credentials, and use --no-output or a controlled output directory when searches may reveal private research or business interests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to inspect `.env` directly to locate API keys, which exposes local credential material unrelated to answering a macro-news query. Reading local secret files increases the chance of accidental credential disclosure, cross-skill data access, or misuse of unrelated secrets present in the environment.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill expands from information retrieval into local code execution by directing the agent to run `python3 scripts/query_macro_information.py ...` via shell. Any skill that invokes local executables materially increases attack surface, because argument injection, script tampering, dependency abuse, or unintended host interaction can occur.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill requires automatic writing of full results to local CSV and Markdown files, even though the manifest only describes querying and presenting macro-economic news. Unnecessary file persistence creates a data-retention surface and can leak searched content, derived analysis, or other sensitive query context to the local filesystem.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation inconsistently references FEEDAX in some sections and GOLAXY in others, including differing credential guidance and service references. Authentication and endpoint ambiguity can cause operators or agents to send credentials to the wrong service or follow an unsafe workflow, increasing the likelihood of secret mishandling.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill uses contradictory API key names across sections, such as FEEDAX-related variables earlier and GOLAXY-related variables later. This kind of auth mismatch can lead to broken controls, accidental exposure of the wrong secret, or manual operator workarounds that bypass safer secret-handling practices.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README encourages passing the API key on the command line and storing it in a local config file, but it does not warn that command-line arguments may be exposed via shell history or process listings and that plaintext config files can be accidentally committed or read by other local users. This is a real credential-handling weakness in documentation because users are likely to follow the provided examples directly.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The README states that CSV and Markdown output files are generated by default but does not warn that retrieved monitoring results may be written to disk and persist beyond the session. Even if the queried data is not always highly sensitive, saved outputs can expose proprietary research, search intent, or regulated/internal monitoring data if stored on shared systems or accidentally synced or committed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatically saving all query results to local files without prominent user warning creates silent data persistence. Even if the data is not highly sensitive by default, search topics, filters, and result sets can reveal business interests, research intent, or user behavior and remain accessible after the session.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instruction telling the user to provide an API key in chat 'so it can remember it' normalizes sharing secrets directly with the assistant and implies retention of credentials. This creates a direct secret-exposure risk through conversation logs, model memory features, debugging traces, or downstream integrations.

Missing User Warnings

High
Confidence
96% confidence
Finding
The execution flow combines reading secrets from `.env` with asking the user to provide the API key in conversation, but omits any warning about exposure or privacy. This encourages unsafe secret-handling and increases the chance that credentials will be stored in logs or disclosed to unauthorized components.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The base URL uses plain HTTP, and the code sends the API key in both the query string and headers over that connection. This exposes credentials and user queries to interception or modification by any party on the network path, enabling credential theft, request tampering, and response manipulation.

Ssd 3

High
Confidence
99% confidence
Finding
Requesting that the user share their API key 'so I can remember it' is a clear secret-retention anti-pattern. It encourages collection, conversational storage, and possible reuse of credentials beyond the immediate task, creating a meaningful risk of credential theft or later leakage.

Ssd 3

High
Confidence
98% confidence
Finding
The workflow explicitly instructs the assistant to ask for and retain an API key during execution, which is unnecessary and dangerous for a search skill. Credential collection in conversation can expose secrets via logs, transcripts, analytics systems, or future context reuse.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal