ClawHub
Back to skill

Security audit

Topic Monitor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent topic-monitoring skill with purpose-aligned external checks, local state, and alert queueing, but users should configure its external sources carefully.

Install only if you want recurring monitoring. Review every configured query, feed, GitHub repo, alert channel, and generated cron job before enabling automation. Do not use sensitive watchlists unless you are comfortable sending them to search providers or feed/GitHub hosts, and set WEB_SEARCH_PLUS_PATH only to a trusted local web-search-plus script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tainted flow: 'web_search_plus' from os.environ.get (line 275, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
safe_query = re.sub(r'[\x00-\x1f\x7f]', '', query)[:500]
            if verbose:
                print(f"   🔍 Searching via web-search-plus: {safe_query}")
            result = subprocess.run(
                ["python3", str(web_search_plus), "--query", safe_query, "--max-results", "5"],
                capture_output=True,
                text=True,
Confidence
95% confidence
Finding
result = subprocess.run( ["python3", str(web_search_plus), "--query", safe_query, "--max-results", "5"], capture_output=True, text=True,

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The monitor extends its capabilities by invoking an external skill script and passing API-related environment variables into that process. In the skill context, this creates a trust boundary crossing: a monitoring tool silently delegates behavior to another codebase, so compromise or substitution of that script can expose secrets or perform unintended actions beyond the stated scope.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes proactive monitoring, scheduled checks, multi-channel alerts, and cron-based automation, but it does not present a prominent upfront warning that the skill will perform recurring external searches and may send notifications on the user's behalf. In an agent setting, that omission can cause users to enable autonomous behavior without fully understanding the persistence, outbound activity, and alerting side effects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is designed to monitor topics via remote searches, feeds, and GitHub sources and can alert through Telegram, but the description does not warn that topic names, queries, URLs, findings, or summaries may be transmitted to third-party services. In a monitoring skill, this omission is more dangerous because users may submit sensitive watchlists or internal interests, assuming processing is local when it is not.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The parser treats a plain string as a URL or filesystem path and may perform network access or open a local file implicitly. In an agent skill that monitors feeds and topics, passing untrusted user-controlled strings into this API can enable SSRF, unintended local file reads, or access to internal resources because the dangerous behavior happens automatically at parse time.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code parses inline URL credentials and converts them into a Basic Authorization header automatically. If the URL uses plain HTTP or is attacker-controlled, credentials can be exposed over the network or sent to an unintended host after user input or configuration mistakes; in a topic-monitoring skill that polls arbitrary feeds, this increases the chance of credential leakage to third-party endpoints.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.