ClawHub

a skill for Chinese users access RSS subscription aggregation through the openclaw on cloud services, enabling them to view RSS feeds recommended by Andrej Karpathy.

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only RSS setup skill whose sudo and network install steps are visible and aligned with its stated purpose, though users should review them carefully.

Before installing, review the commands, run sudo only on a trusted Linux host, consider using a container or non-production machine, verify the GitHub feed tool and rss-digest skill yourself, and consider pinning the Go module version instead of using @latest.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to run system-modifying commands with sudo and install software from the network, but it does not clearly warn about elevated privileges, package changes, or the trust implications of using a third-party Go proxy and installing code from a remote repository. In an agent skill context, users may copy-paste these commands directly, which increases the chance of unintended privileged changes or supply-chain exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to run privileged package-management commands and a network-based `go install` from an external module source, but it does not clearly warn that this changes the system and fetches executable code from the network. In a skill context, users may execute these commands verbatim, creating supply-chain and unintended system modification risk, especially on production hosts.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# 更新apt
sudo apt update
# 安装golang
sudo apt install golang-go
# 添加中国镜像
export GOPROXY=https://goproxy.cn,direct
# 安装feed
Confidence
95% confidence
Finding
sudo

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal