ClawHub

Daily News Portal (Prasowka)

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed daily news-page generator that fetches public news, summarizes it, and writes a local HTML portal with limited local state.

Before installing, be aware that it will contact third-party news sites/APIs and may send fetched article text to an LLM for summarization. Review the configured sources, including Reddit, Yandex News, WallStreetCN, and public APIs, if your environment restricts outbound requests or source selection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The skill writes an HTML file to the workspace and updates `seen_urls.json`, but it does not warn the user that it will modify files or describe the persistence implications. In an agent setting, silent workspace writes can surprise operators, overwrite expected files, or create state that affects later runs.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill performs `web_search` and `web_fetch` against external sites without clearly warning that it will initiate network activity based on topics and article URLs. In enterprise or privacy-sensitive environments, undisclosed outbound requests can leak interests, metadata, timing, and potentially fetched URLs to third parties.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal