ClawHub

Attention Research Pipeline

Security checks across malware telemetry and agentic risk

Overview

This is a coherent scheduled research-digest skill, but users should review the installer, cron setup, and messaging delivery before enabling it.

Install this only if you want a recurring research pipeline. Before running the installer, review the cron jobs it will add, consider installing PyYAML in your own environment instead of letting the script modify Python packages, confirm exactly where Telegram or WhatsApp digests will be sent, and inspect generated topic prompts before activating them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill explicitly describes writing persistent state such as META.json and creating topic workspace artifacts, but it does not declare corresponding permissions. Undeclared write capability reduces transparency and can cause users or host platforms to authorize a skill without understanding that it modifies local files and scheduling state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose emphasizes research and digest generation, but the behavior includes persistence, local cron registration, and additional state management not clearly disclosed in the top-level description. This mismatch is dangerous because users may consent to a content-analysis workflow without realizing it installs scheduled execution and creates durable local automation/state that continues beyond the current session.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The prompt says to 'ask only the topic' but then instructs the agent to immediately generate a full configuration and later collect operational setup details. This ambiguity can cause the agent to over-collect information, prematurely initiate setup actions, or move users into configuration changes before clear consent and bounded intent are established.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer automatically modifies the user's Python environment by invoking pip to install PyYAML if it is missing, using --break-system-packages and without any confirmation prompt. This can unexpectedly alter a shared or system-managed Python installation, create reproducibility issues, and violate least-surprise for an install script.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The installer creates directories and writes META.json files under $HOME/.openclaw/workspace/docs/research without an explicit warning or confirmation. While this is expected behavior for a setup script, silently writing into the user's home directory can still cause unintended state changes, overwrite assumptions about workspace layout, and make the install less transparent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installer executes setup-cron.sh during installation, and the metadata indicates this skill runs on a twice-daily schedule, so modifying cron is a meaningful persistence and system-configuration change. Running a secondary script that may register scheduled tasks without explicit upfront disclosure or confirmation increases the risk of unwanted persistence and makes review harder.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The prompt instructs the agent to write a new file into the workspace (`PROMPTS/TOPICS/<topic-slug>.md`) based on several possible inputs, including fetched URLs and workspace files, but it does not require an explicit upfront warning or confirmation before making that filesystem change. In an agent setting, silent file creation can lead to unintended persistence, overwriting adjacent workflow state, or abuse through crafted inputs that cause the agent to generate and store unwanted content without the user's informed approval.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template instructs the agent to write topic news files and modify META.json state automatically, but it provides no user-facing disclosure, consent checkpoint, or scope limitation around persistent file changes. In a scheduled research pipeline, silent state mutation can hide data retention and operational side effects from the user, making misuse or unintended persistence more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template directs delivery of generated digests through Telegram or WhatsApp without any warning about external transmission, data sensitivity, or destination verification. This creates a real risk of unintentional disclosure of research outputs, internal notes, or sensitive topic monitoring results to third-party services or misconfigured recipients.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The template instructs delivery through Telegram or WhatsApp but does not require any disclosure, consent, or data-sensitivity check before sending content to third-party messaging platforms. In a research pipeline that aggregates cross-topic intelligence, this can cause unreviewed transmission of sensitive or proprietary material outside the local environment.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad and lack exclusion conditions, so normal conversational mentions of a topic could be misinterpreted as activation intent. In an agent that can inspect environment state and guide operational changes, loose triggering increases the risk of unintended workflow entry and follow-on actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The template instructs the agent to add entries to a local configuration file and collect a Telegram or WhatsApp destination identifier without clear user notice, consent, or data-handling boundaries. In this skill's context, that is more dangerous because it bridges from conversational planning into local state modification and collection of messaging endpoint data tied to external delivery.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The README instructs users to deliver generated digests through Telegram or WhatsApp but does not warn that research outputs, topic names, chat identifiers, and potentially sensitive summaries will be sent to third-party messaging platforms. In a monitoring pipeline focused on geopolitical, financial, or biotech topics, this can create unintentional data disclosure or metadata leakage if users assume delivery is local/private.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installation instructions download a remote tarball and pipe it directly into extraction, then proceed to run the included installer, with no integrity verification or safety warning. This creates a supply-chain risk: if the repository, transport, or fetched artifact is tampered with, users may unpack and execute malicious content immediately.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill sends digests through Telegram or WhatsApp, but the description does not present this as a clear user-facing warning about outbound transmission. That omission can lead to inadvertent sharing of sensitive research topics, entity names, or derived intelligence summaries with third-party messaging platforms.

Session Persistence

Medium
Category
Rogue Agent
Content
clawhub install attention-research

# Or install directly from GitHub with git
mkdir -p ~/.openclaw/skills
git clone https://github.com/riverho/attention-research.git ~/.openclaw/skills/attention-research
cd ~/.openclaw/skills/attention-research
bash INSTALL/install.sh --fresh
Confidence
80% confidence
Finding
mkdir -p ~/.openclaw/skills git clone https://github.com/riverho/attention-research.git ~/.openclaw/skills/attention-research cd ~/.openclaw/skills/attention-research bash INSTALL/install.sh --fresh

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal