ClawHub

News Summary

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it gathers Vietnamese news and posts scheduled summaries to a user-configured Telegram channel, but users should handle the bot token and cron setup carefully.

Install only if you want an automated Telegram news poster. Use a dedicated Telegram bot with only channel-posting permissions, keep config.json out of source control, verify which config file will be used, inspect the cron line after running install.sh, and remove the cron job when you no longer want scheduled posts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env['NODE_PATH'] = node_path

    try:
        proc = subprocess.run(
            [node_bin, scraper],
            capture_output=True, text=True, timeout=30,
            env=env
Confidence
86% confidence
Finding
proc = subprocess.run( [node_bin, scraper], capture_output=True, text=True, timeout=30, env=env )

Tainted flow: 'node_bin' from os.environ.get (line 170, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
env['NODE_PATH'] = node_path

    try:
        proc = subprocess.run(
            [node_bin, scraper],
            capture_output=True, text=True, timeout=30,
            env=env
Confidence
93% confidence
Finding
proc = subprocess.run( [node_bin, scraper], capture_output=True, text=True, timeout=30, env=env )

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes capabilities that require network access, shell execution, and likely access to local configuration files, yet it does not declare permissions. This creates a transparency and consent problem: users may install or run the skill without understanding that it can execute commands, access credentials, and transmit data externally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions tell users to obtain and store a Telegram bot token and channel ID, but never warn that the bot token is a secret equivalent to account-level API credentials. Users may paste the token into world-readable files, logs, screenshots, shell history, or repositories, allowing an attacker to hijack the bot and send or read messages depending on granted permissions.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The script reads configuration from a fixed workspace path under /home/pc999/.openclaw/workspace/config.json and silently falls back to nearby project paths, then prints requested values to stdout. In a skill that aggregates news and sends messages via Telegram, config files are likely to contain bot tokens, chat IDs, or other sensitive settings, so this behavior can expose secrets without any user-facing disclosure or access control.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer silently modifies the user's crontab by appending a recurring task without any confirmation or opt-in. This creates persistence on the host and can surprise users, especially because install scripts are often run with high trust and the scheduled job will continue executing long after setup completes.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal