ClawHub

ai-news-pipeline-new

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AI news collection and reporting workflow that writes workspace reports and can send collected article text to a configured AI model API.

Install in an isolated Python environment, use trusted RSS sources and scoped ARK/RSS credentials, and run with --disable-ai when article text should not be sent to Volcengine ARK. Expect the skill to persist cumulative data and reports in the chosen workspace, and review generated Excel/Word briefs before sharing or relying on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill describes capabilities to read environment variables, access the filesystem, write reports/state, and make network requests, but it does not declare any permissions or provide an explicit capability boundary. That creates a transparency and governance gap: users and hosting platforms cannot accurately evaluate or constrain what the skill can access before execution, increasing the risk of over-privileged use and unsafe deployment.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill description says the workflow is self-contained in the current workspace, but the code can send data to an external ARK API when ARK_API_KEY is set. That mismatch can cause operators to approve the skill under false assumptions, resulting in unintended network egress of article content and metadata.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description says the skill should be used when the user wants high-frequency RSS capture or scheduled report delivery, which is broad enough to overlap with ordinary news/reporting requests. That increases the chance the agent invokes this workflow unexpectedly, causing unintended automated data collection and report generation in the workspace.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The command documentation and prompt templates instruct the agent to create and update multiple files in the current workspace, including data, reports, snapshots, and state, but do not warn the user that running the skill is stateful and modifies existing contents. In an agent setting, this can lead to unintended overwrites, cumulative data growth, or persistence of artifacts in shared workspaces, especially because the skill is explicitly designed to run inside the current workspace.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The troubleshooting and usage text references ARK_API_KEY, model connectivity, and report generation features without clearly warning that the workflow may contact external AI or network services. Because this skill collects RSS feeds and can invoke AI generation, users may unintentionally exfiltrate workspace-derived content or metadata to third-party services if they are not clearly informed before execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code transmits article title, content, source, time, link, and company name to an external AI service without explicit user-facing disclosure or confirmation. In this skill context, users may reasonably expect local processing, so silent data egress increases confidentiality and compliance risk, especially if feeds contain licensed, sensitive, or internal material.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends full article title, content, source, timestamp, and link to an external AI service whenever ARK_API_KEY is configured, without any explicit user disclosure, consent flow, or data-classification guard. In this workflow, news content may include licensed, sensitive, or internal material, so silent transmission to a third-party model endpoint creates a real confidentiality and compliance risk.

Ssd 3

Medium
Confidence
91% confidence
Finding
Untrusted news content is inserted verbatim into the LLM prompt, so the model can reproduce sensitive source text or follow embedded prompt-injection-style instructions from the article body when generating outputs. Those generated summaries are then cached and written into Excel/brief artifacts, extending the lifetime and spread of any leaked or manipulated content.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal