ClawHub

xinwencaiji

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it claims, but it handles feed credentials and can disable TLS checks for arbitrary configured RSS sources, so users should review it before installing.

Install only in a dedicated workspace. Do not put sensitive or reusable passwords in feed configs unless the feed URL is trusted HTTPS with TLS verification enabled. Avoid verify_ssl=false. Use --disable-ai if collected content should not be sent to the ARK model service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs users to execute Python scripts that read environment variables, access the network, invoke shell commands, and read/write/delete workspace files, yet it declares no permissions. This is dangerous because users and policy systems cannot accurately assess the skill's operational scope, especially given that it can modify cumulative reports, update state, and transmit content to external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as a self-contained workspace workflow for capture-only or report-only use, but the documented behavior also includes full end-to-end execution, outbound network collection, and external AI processing with authenticated requests and potentially disabled SSL verification. This mismatch can cause users to run a workflow with materially broader data access and external transmission than they were led to expect.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documentation does not clearly warn that execution will create folders, write cumulative Excel files, rebuild Word briefs, update deduplication state, and delete AI cache files. In a shared or sensitive workspace, this can lead to unintended data modification or loss because users may assume the skill is read-only or minimally invasive.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The report-generation path sends collected content to an external model service using ARK_API_KEY, but the skill lacks a clear privacy and data-transfer warning. This is dangerous because news content, internal source selections, or derived company mention data from the workspace may be transmitted off-host without explicit user understanding or consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code permits SSL certificate verification to be disabled per source by creating an unverified TLS context before fetching a feed. In this skill, feeds and optional Basic Auth credentials are pulled from configurable external URLs, so disabling verification enables man-in-the-middle interception, feed tampering, and possible credential exposure if HTTPS is used without validation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically sends configured username/password values as a Basic Authorization header for arbitrary feed URLs from the config. In this context, the workspace-local config may point to third-party or even non-HTTPS endpoints, so secrets can be disclosed to unintended hosts, especially when combined with optional TLS verification bypass.

Ssd 1

Medium
Confidence
94% confidence
Finding
The script injects untrusted article title/content/source/link fields directly into the LLM prompt and then trusts the model to return strict JSON. Malicious news content can contain prompt-injection text that causes the model to ignore instructions, emit malformed output, or generate manipulated summaries, undermining report integrity and potentially causing downstream workflow failures.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal