ClawHub

新闻skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a news-fetching skill that calls a disclosed third-party news API, with no evidence of credential theft, persistence, destructive behavior, or unrelated data access.

Install only if you are comfortable with the agent contacting api.cjiot.cc for news requests. Be aware that broad news-related prompts may trigger the skill, and treat fetched article text as untrusted third-party content rather than instructions for the agent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are overly broad, explicitly matching generic terms like “新闻”, “日报”, and “头条”. This can cause the skill to activate during ordinary conversation and unexpectedly call an external API, which creates privacy, consent, and routing risks even though the underlying functionality is benign.

External Transmission

Medium
Category
Data Exfiltration
Content
**接口地址:**
```
https://api.cjiot.cc/api/v1/daily?date={YYYY-MM-DD}
```

**参数说明:**
Confidence
78% confidence
Finding
https://api.cjiot.cc/

External Transmission

Medium
Category
Data Exfiltration
Content
**接口地址:**
```
https://api.cjiot.cc/api/v1/articles/{article_id}
```

**参数说明:**
Confidence
82% confidence
Finding
https://api.cjiot.cc/

External Transmission

Medium
Category
Data Exfiltration
Content
**处理步骤:**
1. 获取当前日期(格式:YYYY-MM-DD)
2. 调用 API:`curl -s "https://api.cjiot.cc/api/v1/daily?date={当前日期}"`
3. 解析返回的新闻列表
4. 按热度排序展示前 10 条新闻摘要
Confidence
77% confidence
Finding
https://api.cjiot.cc/

External Transmission

Medium
Category
Data Exfiltration
Content
**处理步骤:**
1. 解析用户输入的日期
2. 调用 API:`curl -s "https://api.cjiot.cc/api/v1/daily?date={日期}"`
3. 解析并展示新闻列表

**回复模板:**
Confidence
77% confidence
Finding
https://api.cjiot.cc/

External Transmission

Medium
Category
Data Exfiltration
Content
**处理步骤:**
1. 从上下文获取当前新闻列表
2. 提取用户指定的文章 ID
3. 调用 API:`curl -s "https://api.cjiot.cc/api/v1/articles/{article_id}"`
4. 解析并展示新闻详情(标题、分类、热度、正文)

**回复模板:**
Confidence
84% confidence
Finding
https://api.cjiot.cc/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal