ClawHub

Auto Sec Blogger Repo

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real blog automation skill, but it can automatically publish to Notion/GitHub and mutate a local repository with limited safeguards.

Install only if you intend to run a publishing automation with real Notion, GLM, and GitHub access. Use a dedicated blog repository and scoped credentials, verify BLOG_REPO_PATH/BLOG_LOCAL_PATH and git remote before running, avoid broad cron or background service use until tested, and require a manual review or dry run before any git push or public deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
                # Mermaid CLI 실행
                result = subprocess.run([
                    'npx', '-y', '@mermaid-js/mermaid-cli',
                    '-i', mmd_file,
                    '-o', str(output_file),
Confidence
91% confidence
Finding
result = subprocess.run([ 'npx', '-y', '@mermaid-js/mermaid-cli', '-i', mmd_file, '-o', str(output_file),

subprocess module call

Medium
Category
Dangerous Code Execution
Content
capture_output=True)

        print("[Git] Committing...")
        subprocess.run(['git', 'commit', '-m', f"feat: 블로그 글 추가 - {title}"],
                      cwd=blog_repo_path,
                      check=True,
                      capture_output=True)
Confidence
81% confidence
Finding
subprocess.run(['git', 'commit', '-m', f"feat: 블로그 글 추가 - {title}"], cwd=blog_repo_path, check=True, capture_output=True)

Tainted flow: 'blog_repo_path' from os.getenv (line 152, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
# Git operations
        print("\n[Git] Adding changes...")
        subprocess.run(['git', 'add', '.'],
                      cwd=blog_repo_path,
                      check=True,
                      capture_output=True)
Confidence
78% confidence
Finding
subprocess.run(['git', 'add', '.'], cwd=blog_repo_path, check=True, capture_output=True)

Tainted flow: 'blog_repo_path' from os.getenv (line 152, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
capture_output=True)

        print("[Git] Committing...")
        subprocess.run(['git', 'commit', '-m', f"feat: 블로그 글 추가 - {title}"],
                      cwd=blog_repo_path,
                      check=True,
                      capture_output=True)
Confidence
84% confidence
Finding
subprocess.run(['git', 'commit', '-m', f"feat: 블로그 글 추가 - {title}"], cwd=blog_repo_path, check=True, capture_output=True)

Tainted flow: 'blog_repo_path' from os.getenv (line 152, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
capture_output=True)

        print("[Git] Pushing to remote...")
        subprocess.run(['git', 'push', 'origin', 'main'],
                      cwd=blog_repo_path,
                      check=True,
                      capture_output=True)
Confidence
86% confidence
Finding
subprocess.run(['git', 'push', 'origin', 'main'], cwd=blog_repo_path, check=True, capture_output=True)

Tainted flow: 'md_file' from os.getenv (line 88, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
{content}
"""

        with open(md_file, 'w', encoding='utf-8') as f:
            f.write(front_matter)

        print(f"✓ Created: {md_file}")
Confidence
89% confidence
Finding
with open(md_file, 'w', encoding='utf-8') as f:

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The docstring claims publishing occurs after user approval, but the implementation auto-publishes any Notion item in the review-complete state with no separate in-code confirmation. This can cause unintended publication if a page is misclassified, changed by another integration, or manipulated by someone with Notion access.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list contains broad phrases such as '블로그 글 작성' and '자동 글쓰기' that could match ordinary user requests unrelated to this high-impact automation skill. Because the skill can initiate content collection, external API use, draft creation, and possible publication workflows, broad invocation increases the chance of accidental activation of system/data-affecting behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes automated publishing to Notion and GitHub Pages, Git push operations, and scheduled execution, but does not prominently warn users at the top that it can perform external writes, persistent content changes, and recurring actions. In an agent context, missing upfront disclosure materially increases the risk of a user invoking behavior that changes external systems or publishes unreviewed content.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script writes directly into a local repository’s _posts directory without any confirmation, dry-run mode, or trust boundary checks on the target path. In an agent-skill context, automatic file modification can become dangerous because untrusted article content or a manipulated BLOG_LOCAL_PATH may cause unintended repository changes and prepare content for later commit/push.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code writes content to the repository, commits it, and pushes to origin/main automatically without a final confirmation at the point of action. In this context, the content originates from Notion and can flow directly into a public deployment pipeline, so mistakes or malicious edits can be published immediately.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script creates files, commits them, and pushes to a remote automatically with no user confirmation, preview, or safeguard. In an agent context, this is especially risky because untrusted remote content from Notion is transformed into persistent local and remote changes, making accidental or malicious publication much more dangerous.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code sends article titles and summaries to an external LLM service via `self.client.chat(...)`, but this file shows no consent gate, disclosure, redaction, or policy enforcement before transmission. If summaries contain personal, confidential, or licensed content, this can cause unintended data exposure to a third-party processor and create compliance/privacy risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script unconditionally loads a developer-specific .env file that may contain live Notion credentials, with no prompt or safety guard before using them. In a test script, this can cause operators to unknowingly run against production resources and expose or misuse secrets from the local environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This code performs real upload and download operations against Notion without any confirmation, dry-run mode, or indication that remote services will be contacted. A user running what appears to be a local pipeline test may unintentionally create remote content and transmit data to an external service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script modifies remote state by updating a Notion page status automatically, again without warning or approval. Even if the page was just created, this is still a write operation to a live remote system and can interfere with workflows, automations, or downstream publishing pipelines.

Ssd 4

Medium
Confidence
97% confidence
Finding
Untrusted article titles and summaries are embedded directly into the LLM prompt without delimiting, sanitization, or instruction/data separation. A malicious article can include prompt-injection text that manipulates grouping behavior, causes unsafe downstream content generation, or smuggles adversarial instructions into later pipeline stages. The skill context makes this more dangerous because it chains LLM outputs into subsequent processing, amplifying poisoned article content.

Ssd 4

Medium
Confidence
98% confidence
Finding
The code reuses LLM-derived topic and angle values in a second prompt, creating a multi-stage prompt-injection chain. If the first stage is influenced by malicious article content, attacker-controlled instructions can persist into article generation, shaping the final output, bypassing intended persona/tone constraints, and potentially causing misleading or policy-violating generated content. The chained design increases danger because compromised intermediate outputs are implicitly trusted.

External Transmission

Medium
Category
Data Exfiltration
Content
# GLM API
GLM_API_KEY=your_glm_api_key
GLM_BASE_URL=https://api.z.ai/api/coding/paas/v4

# Notion
NOTION_API_KEY=ntn_xxx
Confidence
87% confidence
Finding
https://api.z.ai/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
---
name: auto-sec-blogger
description: AI-powered security blog automation system (identical to github.com/rebugui/intelligence-agent). Collects news from Google News, arXiv, HackerNews → generates blog posts with GLM-4.7 → publishes to Notion → auto-deploys to GitHub Pages via Git. Features Human-in-the-Loop approval workflow. Use when you want to automate blog writing, news collection, or content generation with the exact functionality of the original intelligence-agent repository. Triggers: "블로그 글 작성", "보안 뉴스 발행", "깃헙 블로그 발행", "intelligence agent", "지능형 에이전트", "자동 글쓰기".
---

# Intelligence Agent
Confidence
93% confidence
Finding
auto-deploy

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal