ClawHub

今日头条热榜 | Toutiao Hot News

Security checks across malware telemetry and agentic risk

Overview

The skill mainly matches its Toutiao hot-list purpose, but one bundled helper can run code from an unrelated local OpenClaw skill path and the generated HTML report renders external news data unsafely.

Review before installing. Use the documented scripts that call the bundled toutiao.js, avoid scripts/fetch-toutiao.py unless it is fixed to reference only package-local code, and treat generated HTML reports as untrusted until the skill escapes external data and validates links. Delete data/toutiao.db and data/index.html when you no longer want the stored history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest describes a simple hot-list retrieval tool, but later sections introduce materially broader behavior: database initialization, repeated collection, local persistence, querying, and HTML report generation. This scope drift is dangerous because it can mislead users and reviewers about what the skill actually does, reducing informed consent and making risky behaviors easier to hide.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Local SQLite storage and HTML report generation go beyond the core stated purpose of returning Toutiao trending items, and the documentation does not strongly justify why persistence is necessary. While not inherently malicious, unnecessary retention and artifact generation enlarge the attack surface and can leave behind local data or files users did not expect.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The markdown explains database and HTML generation workflows but does not clearly warn that these operations create and modify files on the local filesystem. Even benign file writes can be risky when undisclosed, because users may run commands expecting read-only behavior and instead end up with persistent artifacts in local directories.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script serializes untrusted database fields such as title, label, and link into a JavaScript object and then renders them with template literals via innerHTML. Because those values originate from scraped external content and are inserted into HTML/attribute contexts without escaping or sanitization, a crafted news title or link could trigger stored XSS when a user opens the generated report.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal