ClawHub

Newsletter Launch

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned newsletter automation, but it under-discloses sensitive credential storage and creates persistent jobs that can use those credentials and publish content.

Install only if you want ongoing newsletter automation and are comfortable reviewing cron jobs and generated files. Keep auto-publishing disabled until tested, use the least-privileged Beehiiv key available, ensure generated configs and cron payloads do not expose or commit the API key, and rotate the key if it was pasted into chat, logs, files, or git history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if result.returncode != 0:
            return None, "workspace is not a git repo — skipping commit"

        subprocess.run(
            ["git", "add", f"projects/{slug}/", f"skills/newsletter-launch/.skill-config/{slug}.json"],
            cwd=str(workspace), check=True, capture_output=True
        )
Confidence
79% confidence
Finding
subprocess.run( ["git", "add", f"projects/{slug}/", f"skills/newsletter-launch/.skill-config/{slug}.json"], cwd=str(workspace), check=True, capture_output=True

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill performs shell execution, file writes, dependency installation, and cron creation, yet declares no permissions or equivalent user-visible capability boundary. That deprives users and the platform of an accurate trust signal and makes high-impact behavior easier to trigger without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose sounds like a setup wizard, but the instructions go beyond scaffolding into installing other skills, handling API credentials, creating persistent automations, and potentially enabling auto-posting with write access. This mismatch is dangerous because users may authorize a seemingly simple onboarding flow without realizing it can make external account changes and establish long-lived background actions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill silently checks for and can install additional skills via CLI, which expands the trusted code base and execution surface beyond the user's original request. Installing dependencies from within a conversational setup flow is risky because it can introduce new code and permissions that the user did not explicitly review beforehand.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This launcher script does more than scaffold initial files: it embeds live publishing automation that can send newsletter content to Beehiiv using provided credentials. That turns a setup skill into an operational automation surface with real outbound side effects, increasing the chance of unintended publication, credential misuse, and actions occurring without clear user review at execution time.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The generated weekly write cron performs recurring content generation, KPI collection, Beehiiv API access, and even spawns additional cron jobs. This exceeds the advertised launch-only scope and creates durable automation capable of repeated external actions and file modifications long after initial setup, which is risky if the user expected only scaffolding.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The evergreen and quarterly research crons establish continuous editorial and research workflows, not just initial setup. Persistent autonomous behavior widens the blast radius by causing ongoing web research, content generation, and project-file changes on a schedule that may not match user expectations or oversight.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script's documented behavior includes committing changes to git automatically after scaffolding. In an agent skill context, repository modification is a sensitive side effect because a user may expect file generation only, while the skill also alters version-control history and can persist unintended or attacker-influenced content.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Embedding version-control commit capability inside a newsletter scaffolding skill expands the skill's authority beyond straightforward file creation. In agent-driven environments, this is dangerous because it enables persistent repository changes from a content-generation workflow, increasing the blast radius of bad input, prompt abuse, or operator misunderstanding.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks the user to provide a Beehiiv API key directly but does not explain how the secret will be stored, who can access it, or whether it will appear in config files, logs, or cron payloads. Collecting secrets without clear handling guarantees creates a significant risk of credential leakage and downstream account compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill enables API write access and persistent automations without a strong upfront warning that it may publish content, modify external Beehiiv state, and create ongoing scheduled tasks. That lack of informed consent increases the chance of unintended account changes or misuse if the setup is triggered casually or by mistake.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide instructs the user to create and copy a Beehiiv API key but does not warn that the key is a sensitive secret that must not be pasted into chats, committed to files, or shared broadly. In a skill that automates newsletter setup, users are especially likely to hand the credential back to the agent, which could lead to unauthorized access to publication data or posting capabilities if the account is on a higher Beehiiv plan.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The schema documentation explicitly includes a field for a Beehiiv API key and shows a realistic-looking example value, but it provides no warning about secret handling, storage, redaction, or avoiding commits/logging. In this skill context, the agent writes config files and passes them to scripts, which increases the chance that users or the automation pipeline will persist credentials in plaintext, expose them in project files, or leak them through logs and version control.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script interpolates the Beehiiv API key directly into generated cron instructions for a curl command. Embedding secrets into job payloads increases exposure through logs, cron inspection, debugging output, or downstream tooling, and there is no visible warning or secret-handling control in this file.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This cron payload performs authenticated Beehiiv API requests and local file updates without any embedded confirmation, guardrail, or safety disclosure in the code path shown. Because it runs on a schedule and targets the main session, it can trigger external data access and workspace mutations automatically, making accidental or surprising actions more likely.

Ssd 3

High
Confidence
97% confidence
Finding
The instructions explicitly tell the agent to collect and accept a Beehiiv API key from the user in-band. Direct secret collection in chat is dangerous because it can expose the key to transcripts, logs, config generation, and accidental reuse in subsequent tool calls, enabling unauthorized publication or account access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal