ClawHub

Multisource Intel Radar

Security checks across malware telemetry and agentic risk

Overview

This is a coherent RSS/OPML digest helper, but users should review feed URLs and browser-search sources because it contacts external sites.

Before installing or running, inspect the OPML and feeds.txt entries and remove private, internal, or unfamiliar URLs. Provide the OPML path explicitly instead of relying on the personal default path, and use accountless/public browsing for WeChat or Xiaohongshu searches when practical.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill directs execution of local scripts, reads from local files, writes derived artifacts, and performs external fetching, but it declares no permissions or user-facing consent model. This creates a mismatch between apparent and actual capabilities, increasing the risk of silent local data access and network activity that a user may not expect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Using a hardcoded default path to a specific local user file can cause the skill to access private local data without an explicit user choice at runtime. Even if the file is only an OPML list, it may reveal personal subscriptions, interests, and accounts, and it normalizes reading from a host-specific path that may not belong to the current user.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs ingestion and browser searching across multiple external platforms without disclosing privacy, tracking, and content-integrity risks. This can expose user interests, query terms, and watched sources to third parties and may lead users to trust aggregated content from unofficial bridges or manual scans without adequate provenance warnings.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal