ClawHub

Claw News

Security checks across malware telemetry and agentic risk

Overview

This news skill is mostly purpose-aligned, but it needs Review because it embeds live-looking API keys and executes a helper script from another skill workspace.

Install only after reviewing the code, removing and rotating the embedded API keys, and deciding whether you are comfortable sending search topics, RSS content, and summaries to external AI/search providers. Also avoid enabling the cron or Slack delivery examples unless you explicitly want scheduled background runs and message posting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (22)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env["MINIMAX_API_KEY"] = self.config.api_keys['minimax']
            env["MINIMAX_API_HOST"] = "https://api.minimaxi.com"
            
            result = subprocess.run(
                ["node", mcp_client, "web_search", query],
                capture_output=True, text=True, timeout=60, env=env
            )
Confidence
81% confidence
Finding
result = subprocess.run( ["node", mcp_client, "web_search", query], capture_output=True, text=True, timeout=60, env=env )

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes capabilities that require environment access, filesystem reads/writes, network calls, and shell execution, but it does not declare permissions accordingly. This creates a transparency and review gap: users or the platform may authorize or run a skill without understanding the full execution surface, increasing the chance of unintended data exposure or abuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest frames the skill as a news briefing tool, but the documentation adds broader behavior including custom web tracking, Kickstarter scraping, and external integrations beyond the stated scope; the finding also notes hardcoded API key usage in code. Scope expansion plus undocumented external service usage is dangerous because it can conceal sensitive data flows and privileged actions from users and reviewers, and hardcoded secrets would further enable credential leakage or misuse.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest description omits the documented directed-crawler/Kickstarter tracking capability, so the published summary understates what the skill can do. That mismatch weakens informed consent and security review, especially because targeted crawling introduces additional network, scraping, and potential data-handling risks not expected from a simple news digest skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The search path depends on executing a Node.js client located in another skill workspace under the user's home directory. That creates a supply-chain style trust problem: if that external skill or path is altered, this module will execute attacker-controlled code with inherited environment context and provider credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to configure external AI API keys and describes multi-API search, but it does not clearly disclose that user queries, topics, names, RSS-derived content, and possibly summarized article text will be transmitted to third-party services. This creates a real privacy and data-governance risk because operators may unknowingly send sensitive interests or content to external vendors under separate retention and logging policies.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad everyday terms such as 'interest' and 'rss', which can cause accidental activation in unrelated conversations. In a skill that performs network access, scheduled jobs, and push delivery, unintended invocation can lead to unexpected external requests, content processing, or state changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation does not clearly warn that user interests, search topics, RSS content, and generated summaries may be sent to external AI APIs and push channels. This is a real privacy and data-governance risk because users may disclose sensitive interests or content under the assumption processing is local, while the skill actually forwards data to third parties.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup guide explicitly configures third-party Kimi/Moonshot endpoints for summarization of news content, but it does not clearly disclose that fetched article text, headlines, or derived content may be transmitted off-platform to an external provider. This creates a real privacy and compliance risk because users may enable the feature without understanding that potentially sensitive or copyrighted content is being sent to external AI services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends article titles and content to the external Moonshot/Kimi API during the normal summarization flow, but there is no user-facing notice, consent gate, or data-handling warning in this path. In a news/RSS skill, feed items may contain private, licensed, or sensitive content, so silent third-party transmission creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
In API mode, news item content is sent to an external Kimi service for summarization, but the CLI behavior does not provide an explicit privacy warning, consent gate, or data-classification check before transmitting potentially sensitive article text. In this skill context, RSS/news content is often public, which lowers severity, but feeds can also include private, internal, or user-curated sources, so silent exfiltration to a third party remains a real privacy and compliance risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded API key is embedded directly in the script and then used to make external network requests. Anyone with access to the file can extract and abuse the credential, leading to unauthorized API consumption, billing abuse, possible access to associated service data, and difficult key rotation after disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script prints the API key length and a visible prefix of the KIMI API key to stdout. Even partial credential disclosure can aid key identification, correlation across logs/screenshots, and accidental leakage via CI logs, terminal history, or shared debugging output.

Missing User Warnings

High
Confidence
99% confidence
Finding
A live-looking API key is hardcoded directly in source code, which exposes a secret to anyone with file or repository access and enables unauthorized use of the external service. In a news aggregation skill that makes outbound AI requests, compromise of this credential can lead to account abuse, billing loss, and use of the key to process arbitrary attacker-controlled prompts under the project's identity.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script sends system and user prompt content to an external AI provider, but there is no visible disclosure, consent, or data-minimization control. In the context of a news skill that may eventually include user interests, names, RSS-derived content, or summaries, this creates privacy and compliance risk because potentially sensitive input is transmitted off-platform.

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
anthropic>=0.18.0
requests>=2.31.0
python-dateutil>=2.8.0
Confidence
96% confidence
Finding
openai>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
anthropic>=0.18.0
requests>=2.31.0
python-dateutil>=2.8.0
beautifulsoup4>=4.12.0
Confidence
97% confidence
Finding
anthropic>=0.18.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
anthropic>=0.18.0
requests>=2.31.0
python-dateutil>=2.8.0
beautifulsoup4>=4.12.0
Confidence
98% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
anthropic>=0.18.0
requests>=2.31.0
python-dateutil>=2.8.0
beautifulsoup4>=4.12.0
Confidence
95% confidence
Finding
python-dateutil>=2.8.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
anthropic>=0.18.0
requests>=2.31.0
python-dateutil>=2.8.0
beautifulsoup4>=4.12.0
Confidence
95% confidence
Finding
beautifulsoup4>=4.12.0

Known Vulnerable Dependency: anthropic — 2 advisory(ies): CVE-2026-34450 (Claude SDK for Python has Insecure Default File Permissions in Local Filesystem ); CVE-2026-34452 (Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox)

Low
Category
Supply Chain
Confidence
90% confidence
Finding
anthropic

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal