ClawHub

Security News Feed Repo

Security checks across malware telemetry and agentic risk

Overview

The skill’s news collection and publishing purpose is coherent, but it can automatically change external Notion data and publish content with too little user control.

Review this before installing if your Notion database, Slack channel, Tistory account, or Chrome profile contains sensitive or business-critical data. Use a dedicated Notion database and restricted API tokens, keep Tistory publishing disabled unless explicitly needed, and disable or patch the automatic 90-day archive cleanup before running it on real data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (26)

Tainted flow: 'current_url' from requests.get (line 198, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
current_url = response.url
            for _ in range(3):  # 최대 3회 추가 리다이렉트 시도
                try:
                    resp = requests.get(current_url, headers=self.headers, timeout=5, allow_redirects=False)
                    if resp.status_code in [301, 302, 303, 307, 308] and 'Location' in resp.headers:
                        next_url = resp.headers['Location']
                        if 'google.com' not in next_url:
Confidence
89% confidence
Finding
resp = requests.get(current_url, headers=self.headers, timeout=5, allow_redirects=False)

Tainted flow: 'upload_url' from requests.post (line 1794, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
files_payload = {'file': (file_name, f, mime_type)}

            upload_response = requests.post(

                upload_url,
Confidence
84% confidence
Finding
upload_response = requests.post( upload_url, headers=upload_headers_for_step2, files=files_payload, timeout=120

Tainted flow: 'upload_url' from requests.post (line 1794, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
print(f"  [DEBUG] 파트 {part_number} 요청 URL: {upload_url}")
                    print(f"  [DEBUG] 파트 {part_number} part_number 값: {part_number}")
                    
                    upload_response = requests.post(
                        upload_url,  # ← 쿼리 파라미터 없음
                        headers=upload_headers,
                        files=files_payload,
Confidence
85% confidence
Finding
upload_response = requests.post( upload_url, # ← 쿼리 파라미터 없음 headers=upload_headers, files=files_payload,

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring understates the script's behavior by saying it only checks database connectivity, while the code also performs a write operation and archives a created page. This mismatch can mislead reviewers or operators into running a state-changing script they believe is read-only, increasing the chance of unintended data modification.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The crawler automatically downloads remote images and attached files from the target site and republishes them via publisher_service without validating file type, size, origin, or safety. In this context that creates a genuine supply-chain/content-ingestion risk: a compromised or malicious upstream page could cause the system to ingest and redistribute unsafe or unauthorized content.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are very broad (e.g., generic requests about 'security news' or '뉴스 수집'), which can cause the skill to activate on ordinary user queries without clear intent to run an external collection-and-publishing workflow. In this skill, mistaken activation is more dangerous because execution can crawl third-party sites, send content to Gemini, and publish to Notion or Tistory, creating privacy, consent, and unintended-action risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description does not clearly warn users that collected content is transmitted to external APIs (Gemini, Notion, Tistory) and may be published externally. This is dangerous because users may invoke the skill expecting local aggregation, while the workflow actually sends data off-platform and can post content publicly, increasing data exposure and unintended publication risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The crawler explicitly disables Chrome Safe Browsing before downloading files from a remote website, which removes a built-in protection layer against malicious or deceptive downloads. Because this code automatically discovers and downloads attachments from external pages, a compromised source site or injected attachment could result in unsafe files being fetched without browser safeguards.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
Raw exception details are forwarded to Slack, which can leak internal error context, request data, URLs, stack fragments, or operational metadata to an external messaging service. If exceptions contain sensitive values from downstream components or infrastructure, this creates an unintended data exfiltration path and broadens access to internal debugging information.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The crawler disables TLS certificate verification when fetching article detail pages, which allows a man-in-the-middle attacker to intercept or tamper with the HTTPS response. In this skill's context, that could poison scraped content, alter URLs or dates, and feed untrusted data into downstream publishing or notification systems while suppressing certificate warnings globally.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The crawler downloads remote images with TLS certificate verification explicitly disabled via `requests.get(..., verify=False)`. This allows a man-in-the-middle attacker or hostile network device to intercept and modify downloaded content, which is especially risky here because the crawler saves the fetched bytes to disk and forwards files into a downstream publishing pipeline.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The crawler fetches attacker-influenced remote content over HTTPS with certificate verification explicitly disabled. This allows a man-in-the-middle attacker or a hostile network/proxy to spoof the target site, inject false article content and download links, and potentially poison downstream systems that trust the crawler's output.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The crawler uses curl with -k, which disables TLS certificate verification for the initial page fetch. This allows a man-in-the-middle attacker or hostile network intermediary to tamper with the HTML response, causing the crawler to ingest spoofed content, discover attacker-controlled links, or poison downstream systems.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The detail-page fetch also disables TLS verification and follows redirects while sending a browser-like User-Agent to external URLs derived from parsed page content. If an attacker can tamper with the listing page or influence those links, the crawler may retrieve and trust attacker-controlled content, enabling data poisoning and potentially SSRF-like access to unintended destinations.

Missing User Warnings

High
Confidence
97% confidence
Finding
When Notion rejects an unsupported extension, the code silently renames the file with a .pdf suffix and changes the MIME type to application/pdf before retransmission. This can misrepresent file content, bypass file-type controls, and cause unintended disclosure or downstream unsafe handling because recipients and systems may trust the falsified type metadata.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The module uploads local files to an external service automatically, with no user-facing consent gate, file-path policy, or classification check. In an agent/skill context, this increases the chance of accidental exfiltration of sensitive local artifacts if upstream inputs influence which files are attached.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function performs a real publish action immediately after filling the editor and clicks the final publish button without any explicit confirmation gate, dry-run mode, or safety interlock. Because this module automates posting through a logged-in browser session, any unintended invocation, bad input, or prompt/agent misuse can cause irreversible public publication on the user's blog.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code automatically starts a background cleanup thread that deletes Notion entries older than 90 days without any interactive confirmation, dry-run mode, or explicit operator acknowledgment in this file. In an automation context this can cause unintended data loss, especially if retention assumptions are wrong, configuration points to the wrong database, or the deletion routine has defects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skip path deletes local files referenced in task['files'] with minimal validation and no user-facing disclosure or confirmation. If those file paths are attacker-influenced or incorrectly populated by upstream crawlers, the process could remove unintended local files, turning cleanup logic into a file deletion primitive.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function sends execution summaries to Slack automatically, which can leak operational metadata and potentially sensitive content to an external service if Slack configuration is misrouted or broadly accessible. Because this happens by default in normal workflow, it increases the blast radius of any sensitive data present in titles, summaries, source names, or error conditions.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script silently loads environment variables from a user-specific .env file, which can expose credentials or sensitive configuration to imported crawler code without clear user awareness. In a skill or agent context, implicit secret loading broadens the trust boundary and can enable downstream components to access secrets they do not strictly need.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The script automatically loads environment variables from a user-specific .env file without notice or consent, which can expose sensitive credentials to downstream crawler code unexpectedly. In an agent/skill context, silent credential loading increases the blast radius because imported modules may consume secrets or trigger authenticated network actions the user did not intend.

External Transmission

Medium
Category
Data Exfiltration
Content
### Notion 연결 오류
```bash
# Notion API 키 확인
curl -X POST https://api.notion.com/v1/databases/{database_id}/query \
  -H "Authorization: Bearer {token}" \
  -H "Notion-Version: 2022-06-28"
```
Confidence
88% confidence
Finding
https://api.notion.com/

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    req = urllib.request.Request(
        'https://api.notion.com/v1/pages',
        data=json.dumps(test_page).encode('utf-8'),
        headers={
            'Authorization': f'Bearer {notion_token}',
Confidence
79% confidence
Finding
https://api.notion.com/

External Transmission

Medium
Category
Data Exfiltration
Content
# 테스트 페이지 삭제 (보관)
    print("\n3️⃣ Archiving test page...")
    delete_req = urllib.request.Request(
        f"https://api.notion.com/v1/pages/{page_data['id']}",
        data=json.dumps({"archived": True}).encode('utf-8'),
        headers={
            'Authorization': f'Bearer {notion_token}',
Confidence
73% confidence
Finding
https://api.notion.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal