ClawHub

AI Daily Digest

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it stores a Gemini API key in a predictable plaintext config file and sends feed content to AI providers, so users should review it before installing.

Install only if you are comfortable providing an AI API key, sending RSS article titles/descriptions/URLs to Gemini or your configured OpenAI-compatible provider, and having the Gemini key saved locally in `~/.hn-daily-digest/config.json`. Prefer a restricted or low-billing-limit key, avoid using this on shared machines, delete the config file when done, and do not set `OPENAI_API_BASE` to an endpoint you do not trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
The skill clearly requires network access and environment-variable handling, but those capabilities are not explicitly declared in metadata. That mismatch reduces transparency and can prevent users or platforms from making informed trust decisions about what the skill will access and transmit.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation instructs the agent to persist a user-provided Gemini API key in a local config file, which extends behavior beyond simple digest generation into credential retention. Storing secrets for future reuse increases the blast radius of compromise and creates a privacy/security risk if the local filesystem is exposed.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill permits an arbitrary OpenAI-compatible base URL via OPENAI_API_BASE and then sends prompts and API credentials to that endpoint. That expands outbound network access beyond the declared RSS-digest behavior and can route sensitive article content or API keys to attacker-controlled infrastructure if the environment is misconfigured or influenced by another component.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells the agent to save and later reuse an API key without explicitly warning the user that credentials will be stored locally in plaintext. Users may reasonably assume the key is ephemeral, so silent persistence can expose sensitive credentials to other local users, backups, logs, or malware.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example config structure normalizes storing a live API key in a local JSON file without any caution about credential sensitivity. Examples strongly influence implementation behavior, so this encourages unsafe secret handling practices.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The save step writes the user's API key directly into a plaintext config file for future use, creating a direct credential exposure path. Any local compromise, shared account access, insecure backup, or accidental file disclosure could leak the key and enable unauthorized API usage or billing abuse.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code transmits article titles, descriptions, URLs, and prompts to third-party AI providers, but this file contains no user-facing consent, notice, or data-handling disclosure. In a digest skill that ingests many external sources, this can expose potentially sensitive or proprietary feed content and operational metadata to external services without clear user awareness.

Ssd 3

Medium
Confidence
96% confidence
Finding
Persisting and later reusing a user-provided API key introduces session persistence for sensitive credentials. This makes the skill more dangerous in context because the retained key is not required merely to generate one digest and can outlive user expectations.

Ssd 3

Medium
Confidence
95% confidence
Finding
The documented config schema explicitly includes a saved API key, institutionalizing long-term retention of sensitive material. This creates ongoing exposure and may cause downstream tools or users to treat plaintext secret storage as the intended design.

Ssd 3

High
Confidence
99% confidence
Finding
The explicit write operation stores the user's API key in a predictable plaintext location under the home directory, which is a concrete secret-retention vulnerability. In this skill's context, the credential is then used to access third-party AI APIs, so theft can directly result in unauthorized requests, cost, and account misuse.

Ssd 1

Medium
Confidence
97% confidence
Finding
Untrusted RSS titles and descriptions are inserted directly into the scoring prompt without robust isolation, so malicious feed content can include instructions that influence model behavior. Even though the model is only asked for JSON, prompt injection can corrupt scoring, force malformed output, or manipulate downstream selection and categorization of articles.

Ssd 1

Medium
Confidence
98% confidence
Finding
The summary-generation prompt embeds untrusted article text and URLs directly, giving malicious feeds a semantic channel to steer the model's summaries or output format. Because these summaries are later shown to users and reused by later prompts, injection here can taint both the visible report and subsequent AI processing stages.

Ssd 1

Medium
Confidence
92% confidence
Finding
The highlights prompt summarizes earlier model-produced summaries, which may already contain injected content originating from malicious feeds. This creates an indirect prompt-injection chain where poisoned upstream text can influence the final 'today's highlights' narrative and amplify manipulated themes across the report.

Session Persistence

Medium
Category
Rogue Agent
Content
### Step 2b: 保存配置

```bash
mkdir -p ~/.hn-daily-digest
cat > ~/.hn-daily-digest/config.json << 'EOF'
{
  "geminiApiKey": "<key>",
Confidence
97% confidence
Finding
mkdir -p ~/.hn-daily-digest cat > ~/.hn-daily-digest

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal