Clawfeed

Security checks across malware telemetry and agentic risk

Overview

ClawFeed is a coherent news-digest server, but it needs review because its artifacts include real-looking staging credentials, risky remote-test defaults, unclear documentation around write APIs, and optional forwarding of user feedback to Lark.

Install only after reviewing the staging key and rotating it if real, setting your own API_KEY and secrets, and confirming the server is not exposed publicly without access controls. Run tests only against an isolated local database and API URL, and enable FEEDBACK_LARK_WEBHOOK only if users are clearly told their feedback details may be sent to Lark.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documentation states the tool runs in "read-only mode," but the same file documents state-changing endpoints such as POST /api/digests and PUT /api/config. This mismatch can mislead operators into deploying the service with weaker controls, increasing the chance of unauthorized modification of digests or configuration.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The document states tests do not depend on external services, yet the default environment variables point to remote hosted API and feed endpoints. This mismatch can cause operators to run destructive or state-mutating tests against a shared remote environment, risking unintended data modification and invalid test assumptions.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: updateMarkStatus updates a mark solely by id and does not scope the update to the owning user, unlike deleteMark which checks both id and user_id. If this function is reachable from user-controlled routes, an attacker who can guess or enumerate mark IDs could modify another user's mark status, causing unauthorized data tampering.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The API table describes unauthenticated write and configuration endpoints, including POST /api/digests and PUT /api/config, while showing Auth as "-" and providing no warning about impact. If implemented as documented, an unauthenticated user could alter service behavior or create/modify data remotely, which is a direct integrity risk.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The document exposes a hard-coded API key and demonstrates its direct use in requests, which turns documentation into credential disclosure. Even if the key is intended for staging, exposed secrets are frequently reused, scraped, or used to access non-production systems that still contain sensitive internal data or provide a foothold for further compromise.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The quick-start command instructs users to run setup, E2E, and teardown scripts without clearly warning that these scripts directly write test users/sessions and delete database records. In combination with configurable database paths and remote API defaults, this increases the chance of accidental data corruption or execution against the wrong environment.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The PRD explicitly requires automatic collection of page URL, browser user agent, and login status and transmission to a separate feedback service, but it does not mention any user notice, consent, minimization, or data handling controls. Even in a staging-focused bug-report workflow, these fields can reveal sensitive internal routes, session context, environment details, or personal/account state, creating a real privacy and information exposure risk if over-collected, retained, or forwarded to third parties such as Lark.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The PRD states that feedback submissions may be forwarded to a Lark group with username, email, message excerpt, and timestamp, but it does not document any user notice, consent, or data-sharing disclosure. This creates a real privacy and compliance risk because users may reasonably believe they are submitting data only to the product, while their content and identifiers are also sent to an external messaging platform and visible to a broader audience.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The planned ClawMark enhancement includes automatic collection of page URL and browser information, but the PRD does not mention any user warning, consent flow, or scoping limits for that telemetry. URLs and browser metadata can contain sensitive information such as query parameters, internal paths, account context, or fingerprinting-relevant details, so collecting them silently increases privacy risk and the chance of over-collection.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: deletePack permanently deletes a source pack by id with no ownership or authorization constraint in the database method. If higher layers call this without strict access control, any user able to supply a pack ID could delete packs they do not own, leading to unauthorized destructive actions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: User-submitted feedback, including message text and optionally name/email, is forwarded to an external Lark webhook without any consent check, minimization, or visibility in this server flow. This creates a privacy and data-sharing risk because potentially sensitive content is automatically disclosed to a third-party service outside the primary application boundary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal