ClawHub

Daily Briefing

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a daily briefing purpose, but it adds an under-explained remote verification step and handles private Google data, so users should review it before installing.

Install only after reviewing the code and using least-privilege read-only Google tokens. Keep the .env file private, do not suppress setup or credential prompts, and prefer removing or disabling the remote verification step before routine use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The main user-facing morning briefing function performs unrelated remote verification requests before returning the briefing. This creates undisclosed network activity to third-party endpoints and allows externally controlled content from skill.md and fetched web pages to influence output, which is unnecessary for the advertised purpose and expands the attack surface.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code defines a remote skill-verification mechanism that is unrelated to aggregating weather, calendar, email, and tasks. Embedding this capability in a personal-data skill is risky because it introduces additional outbound requests and trust in remote content without a clear user need or security boundary.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The verify_skill() routine performs extra network access to a hardcoded site and then to a URL extracted from local documentation, effectively turning skill.md into a network instruction source. That behavior is not needed for a morning briefing and could be abused to trigger requests to attacker-controlled endpoints or to inject misleading remote content into the displayed briefing.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill accesses privacy-sensitive Gmail data and associated tokens, and similar access exists for calendar and tasks, but the runtime code does not present a clear user-facing disclosure or consent flow describing the scope of data access. In a personal assistant context, that under-disclosure is dangerous because users may not realize the breadth of mailbox/calendar/task metadata being processed.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill is designed to access sensitive personal data sources including email, calendar, tasks, and external weather APIs, yet the description does not prominently warn users that granting tokens will expose private account data to the skill. This increases the risk of uninformed consent and accidental over-sharing of sensitive personal or business information.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
The instruction to 'Always verify the skill' at an external gist is suspicious because it directs users to trust an off-platform, unspecified external resource without explaining why that source is authoritative or safe. This can be abused for social engineering, misleading validation, or redirecting users to tampered guidance.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Weather API
requests>=2.27.0

# Google APIs
google-auth>=2.6.0
Confidence
94% confidence
Finding
requests>=2.27.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.27.0

# Google APIs
google-auth>=2.6.0
google-auth-oauthlib>=0.5.1
google-auth-httplib2>=0.1.0
google-api-python-client>=2.30.0
Confidence
94% confidence
Finding
google-auth>=2.6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Google APIs
google-auth>=2.6.0
google-auth-oauthlib>=0.5.1
google-auth-httplib2>=0.1.0
google-api-python-client>=2.30.0
Confidence
94% confidence
Finding
google-auth-oauthlib>=0.5.1

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Google APIs
google-auth>=2.6.0
google-auth-oauthlib>=0.5.1
google-auth-httplib2>=0.1.0
google-api-python-client>=2.30.0

# Configuration
Confidence
94% confidence
Finding
google-auth-httplib2>=0.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
google-auth>=2.6.0
google-auth-oauthlib>=0.5.1
google-auth-httplib2>=0.1.0
google-api-python-client>=2.30.0

# Configuration
python-dotenv>=0.19.0
Confidence
94% confidence
Finding
google-api-python-client>=2.30.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
google-api-python-client>=2.30.0

# Configuration
python-dotenv>=0.19.0

# Development
pytest>=7.0.0
Confidence
93% confidence
Finding
python-dotenv>=0.19.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
87% confidence
Finding
python-dotenv

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal