ClawHub

Auto Sec Blogger

Security checks across malware telemetry and agentic risk

Overview

This is a plausible blog automation skill, but it can automatically publish Notion-approved content to GitHub Pages using broad local Git actions without enough runtime safeguards.

Install only if you intentionally want an agent to write to Notion and publish to a GitHub Pages repository. Use dedicated low-privilege Notion and GitHub credentials, point it at a test or dedicated blog repo, inspect Notion approvals and git diffs before enabling pushes, avoid the background publisher unless continuous publishing is required, and pin or remove the runtime npx Mermaid renderer before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (23)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
                # Mermaid CLI 실행
                result = subprocess.run([
                    'npx', '-y', '@mermaid-js/mermaid-cli',
                    '-i', mmd_file,
                    '-o', str(output_file),
Confidence
89% confidence
Finding
result = subprocess.run([ 'npx', '-y', '@mermaid-js/mermaid-cli', '-i', mmd_file, '-o', str(output_file),

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(['git', 'commit', '-m', commit_msg], cwd=self.blog_path, check=True)

            # 푸시
            subprocess.run(['git', 'push', 'origin', 'main'], cwd=self.blog_path, check=True)

            print(f"✅ Git push 완료: {len(filenames)}개 포스트")
            return True
Confidence
83% confidence
Finding
subprocess.run(['git', 'push', 'origin', 'main'], cwd=self.blog_path, check=True)

Tainted flow: 'blog_repo_path' from os.getenv (line 152, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
# Git operations
        print("\n[Git] Adding changes...")
        subprocess.run(['git', 'add', '.'],
                      cwd=blog_repo_path,
                      check=True,
                      capture_output=True)
Confidence
85% confidence
Finding
subprocess.run(['git', 'add', '.'], cwd=blog_repo_path, check=True, capture_output=True)

Tainted flow: 'blog_repo_path' from os.getenv (line 152, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
capture_output=True)

        print("[Git] Committing...")
        subprocess.run(['git', 'commit', '-m', f"feat: 블로그 글 추가 - {title}"],
                      cwd=blog_repo_path,
                      check=True,
                      capture_output=True)
Confidence
87% confidence
Finding
subprocess.run(['git', 'commit', '-m', f"feat: 블로그 글 추가 - {title}"], cwd=blog_repo_path, check=True, capture_output=True)

Tainted flow: 'blog_repo_path' from os.getenv (line 152, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
capture_output=True)

        print("[Git] Pushing to remote...")
        subprocess.run(['git', 'push', 'origin', 'main'],
                      cwd=blog_repo_path,
                      check=True,
                      capture_output=True)
Confidence
83% confidence
Finding
subprocess.run(['git', 'push', 'origin', 'main'], cwd=blog_repo_path, check=True, capture_output=True)

Tainted flow: 'md_file' from os.getenv (line 88, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
{content}
"""

        with open(md_file, 'w', encoding='utf-8') as f:
            f.write(front_matter)

        print(f"✓ Created: {md_file}")
Confidence
89% confidence
Finding
with open(md_file, 'w', encoding='utf-8') as f:

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module claims publishing happens after user approval, but the implementation automatically publishes anything returned as review-complete, with no approval check in this component. That mismatch can mislead operators into trusting an approval boundary that does not actually exist, increasing the chance of unauthorized or accidental publication.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes broad phrases like content-generation/blog-writing terms that can match ordinary user requests and invoke this skill unexpectedly. Because the skill can collect external content, send data to third-party APIs, and eventually publish to external systems, accidental activation increases the risk of unintended data transmission or automated publication.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes collecting news, generating posts with an external LLM, and publishing through Notion/GitHub, but it does not clearly warn that article content, prompts, metadata, and possibly user-supplied material will be transmitted to external services. Users may provide sensitive drafts, internal analysis, or unpublished content without realizing it will leave the local environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow states that approved content is pushed via Git and deployed to GitHub Pages, but it does not provide a strong warning that this can make content publicly accessible and trigger automated downstream actions. In a blogging skill, publication is the core function, so omission of explicit deployment-effect warnings materially increases the chance of accidental public disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically converts remote Notion content into local files and pushes them to the main branch with no approval gate, dry-run mode, or branch isolation. In this context, that creates a real integrity risk: compromised Notion content, mistaken status changes, or malicious metadata can be published directly to production infrastructure.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The code writes files derived from article fields and an environment-controlled base path without any user confirmation or repository-boundary validation. In an agent setting, silent file creation can unexpectedly modify local content and, combined with untrusted article metadata such as category, may write outside the intended content subtree if path components are not sanitized.

Missing User Warnings

High
Confidence
93% confidence
Finding
This routine stages, commits, and pushes changes to a remote repository without any prior user warning, confirmation, or policy check. In a skill/agent context, automatic publication is especially risky because it can irreversibly leak content or trigger unwanted external side effects using the user's existing git credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code writes content derived from Notion directly into the repository without any interactive warning or execution-time confirmation. In a skill that can turn remote content into published files, the lack of a final user-facing gate increases the risk of accidental publication, content poisoning, or unintended modification of tracked files.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This execution path commits and pushes to the remote repository automatically, without a clear user-facing confirmation at the moment of action. Because push likely triggers GitHub Actions deployment, any mistake or malicious content from the upstream content source can immediately become a live site change.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This script performs live creation of a Notion page and updates its status without any confirmation, dry-run mode, or environment gating. In an agent or automation context, that can cause unintended modification of production data, clutter remote systems, and trigger downstream publishing workflows without the operator realizing it.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends article titles, sources, and summaries to an external LLM service without any visible consent, disclosure, or data-classification guardrails. If articles contain proprietary, personal, or embargoed content, this can cause unintended third-party data exposure and compliance issues.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The generation step forwards article titles, URLs, topic context, and perspective to the external LLM without any notice or minimization. This broadens the data shared externally and may leak source relationships, internal URLs, or sensitive editorial context beyond what is necessary.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code sends article source, title, URL, and summary to an external LLM service via `self.client.chat(...)` without any visible consent, minimization, redaction, or policy enforcement in this component. If article data can contain unpublished, proprietary, or sensitive information, this creates a real data disclosure risk to a third-party processor and may violate privacy or compliance expectations.

Ssd 4

Medium
Confidence
94% confidence
Finding
Untrusted article titles and summaries are inserted directly into the LLM prompt, allowing prompt injection through content that appears to be ordinary news text. A malicious article could steer grouping, induce malformed JSON, override instructions, or bias subsequent analysis in ways the system treats as trusted output.

Ssd 4

Medium
Confidence
95% confidence
Finding
Passing article titles and URLs verbatim into the blog-generation prompt allows attacker-controlled metadata to influence the generated article's style, instructions, or references. In this context, the model is producing long-form content, so prompt steering can more easily redirect tone, insert unwanted content, or manipulate attribution and conclusions.

External Transmission

Medium
Category
Data Exfiltration
Content
# GLM API
GLM_API_KEY=your_glm_api_key
GLM_BASE_URL=https://api.z.ai/api/coding/paas/v4

# Notion
NOTION_API_KEY=ntn_xxx
Confidence
90% confidence
Finding
https://api.z.ai/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
---
name: auto-sec-blogger
version: 1.1.0
description: AI-powered security blog automation system (identical to github.com/rebugui/intelligence-agent). Collects news from Google News, arXiv, HackerNews → generates blog posts with GLM-4.7 → publishes to Notion → auto-deploys to GitHub Pages via Git. Features Human-in-the-Loop approval workflow. Use when you want to automate blog writing, news collection, or content generation with the exact functionality of the original intelligence-agent repository. Triggers: "블로그 글 작성", "보안 뉴스 발행", "깃헙 블로그 발행", "intelligence agent", "지능형 에이전트", "자동 글쓰기".
---

# Intelligence Agent
Confidence
86% confidence
Finding
auto-deploy

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal