ClawHub

news-hot-hub

Security checks across malware telemetry and agentic risk

Overview

This skill is a public news hot-list aggregator with some hygiene caveats, but no hidden local access, persistence, credential use in code, or destructive behavior was found.

Reasonable to install for public hot-topic aggregation. Use a virtual environment, pin/audit dependencies if you need reproducible installs, treat returned AIBase HTML as untrusted third-party content, and do not export or share Zhihu cookies unless you deliberately need an authenticated feature and can protect those session credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill invokes Python scripts, uses environment variables, and fetches data from external platforms, but the manifest does not declare any permissions for shell, network, or env access. This weakens review and sandbox enforcement because the actual execution capabilities are broader than what a consumer of the skill metadata would expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
78% confidence
Finding
The stated purpose is a hot-list aggregator, but the documented behavior includes additional functions such as cross-platform analysis, status checks, and broader AIBase retrieval modes. This mismatch can mislead users and reviewers about the true operational scope, making it easier for overbroad data access or unexpected execution paths to go unnoticed.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The helper fetches and returns full article HTML content for each listed item, which exceeds the skill's stated purpose of aggregating hot-topic or hot-search data. This creates unnecessary data collection and output expansion, increasing privacy/compliance risk and exposing downstream consumers to unneeded untrusted HTML content from third-party pages.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The main fetch path enables with_content=True by default, so every news/daily/all invocation enriches each result with article bodies rather than just hot-list summaries. In the context of a cross-platform hot-search aggregation skill, this broadens data access beyond user expectations and can amplify prompt-injection or unsafe rendering risks if downstream components consume the returned HTML.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list contains broad phrases like '全网热点' and similar generic wording that may match ordinary conversation, causing the skill to activate when the user did not clearly request it. Because this skill performs network-backed script execution, accidental activation can lead to unintended outbound requests and confusing or privacy-impacting behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide instructs users to extract and export Zhihu cookies, which are authentication secrets, but does not warn that these credentials are sensitive or describe safe handling practices. In a skill ecosystem where docs may be followed verbatim, this increases the risk of credential leakage through shell history, logs, screenshots, shared terminals, or accidental check-in to config files.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
Confidence
93% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
Confidence
89% confidence
Finding
beautifulsoup4>=4.12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
Confidence
95% confidence
Finding
lxml>=4.9.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

Known Vulnerable Dependency: lxml — 10 advisory(ies): GHSA-55x5-fj6c-h6m8; CVE-2014-3146 (lxml Cross-site Scripting Via Control Characters); CVE-2021-28957 (lxml vulnerable to Cross-Site Scripting ) +7 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
lxml

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal