ClawHub

Daily Brief

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: fetch a simple weather and news brief using public web endpoints, with no credentials or persistence.

This appears safe for a simple daily brief, but it contacts wttr.in and Baidu, requires curl despite incomplete registry metadata, and its documented weather-only/news-only options are not implemented in the provided script.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Info
What this means

Using the skill contacts third-party services and displays their returned content.

Why it was flagged

The skill uses curl to contact external weather and news endpoints. This is expected for a daily brief skill, but users should know it sends the requested city to wttr.in and relies on external content.

Skill content
local weather=$(curl -s "wttr.in/$CITY?format=3" 2>/dev/null)
local hot_data=$(curl -s "https://top.baidu.com/api/board?platform=wise&tab=realtime" 2>/dev/null)
Recommendation

Use it only if you are comfortable with those public services receiving the city query and providing the brief content.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The skill may fail if curl is unavailable, and the listed homepage does not provide a useful upstream source.

Why it was flagged

The homepage is a placeholder and the artifact declares curl, while the registry-level requirements list no required binaries. This is an incomplete packaging/provenance signal, though the included script is small and reviewable.

Skill content
"homepage": "https://github.com/yourusername/daily-brief",
"requires": {
  "bins": ["curl"]
}
Recommendation

Inspect the included script before installing and ensure curl is available if you plan to use the skill.

#
ASI09: Human-Agent Trust Exploitation
Info
What this means

Users may expect narrower output than the script actually provides.

Why it was flagged

The documentation advertises weather-only and news-only modes, but the provided script does not implement option parsing and always runs both sections. This is a misleading feature claim, not evidence of harmful behavior.

Skill content
# 仅天气
daily-brief --weather-only

# 仅新闻
daily-brief --news-only
Recommendation

Do not rely on the documented --weather-only or --news-only examples unless the script is updated to implement them.