ClawHub

Multi Source Tech News Digest

Security checks across malware telemetry and agentic risk

Overview

This is a public tech-news digest skill with some implementation and dependency hygiene issues, but no artifact-backed evidence of hidden data access, exfiltration, or destructive behavior.

Before installing, review whether you want the auto-start daily Telegram trigger enabled, and consider pinning/auditing the Python dependencies. Treat the 109+ source claim as overstated unless the maintainer expands the implementation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # 使用OpenClaw的web_fetch工具获取内容
            import subprocess
            result = subprocess.run([
                sys.executable, "-c", 
                f"import requests; import feedparser; \
                feed = feedparser.parse('{source_url}'); \
Confidence
94% confidence
Finding
result = subprocess.run([ sys.executable, "-c", f"import requests; import feedparser; \ feed = feedparser.parse('{source_url}'); \

subprocess module call

Medium
Category
Dangerous Code Execution
Content
releases = []
            for repo in self.config["github_repos"]:
                import subprocess
                result = subprocess.run([
                    sys.executable, "-c",
                    f"import requests; \
                    response = requests.get('{repo}', headers={{'Accept': 'application/vnd.github.v3+json'}}); \
Confidence
97% confidence
Finding
result = subprocess.run([ sys.executable, "-c", f"import requests; \ response = requests.get('{repo}', headers={{'Accept': '

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0.0
requests>=2.25.0
beautifulsoup4>=4.9.0
Confidence
96% confidence
Finding
feedparser>=6.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0.0
requests>=2.25.0
beautifulsoup4>=4.9.0
Confidence
97% confidence
Finding
requests>=2.25.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0.0
requests>=2.25.0
beautifulsoup4>=4.9.0
Confidence
95% confidence
Finding
beautifulsoup4>=4.9.0

Known Vulnerable Dependency: feedparser — 10 advisory(ies): CVE-2011-1157 (feedparser Cross-site Scripting vulnerability); CVE-2009-5065 (feedparser Cross-site Scripting vulnerability); CVE-2011-1158 (feedparser Cross-site Scripting vulnerability) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
feedparser

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
94% confidence
Finding
requests

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal