ClawHub

RSS-Brew

Security checks across malware telemetry and agentic risk

Overview

RSS-Brew is a coherent RSS digest tool that fetches feeds, uses external AI/search services, and writes local run state as part of its stated purpose.

Install only if you are comfortable with the skill fetching configured feeds/articles, sending article-derived content to configured AI/search providers, and writing persistent digest/run state under the chosen data root. Use mock or dry-run modes first, avoid private or sensitive feeds unless provider sharing is acceptable, review ~/.openclaw/.env usage for Tavily, and pin/audit dependencies before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Findings (26)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises executable CLI workflows and operational commands with access to environment variables, filesystem state, shell execution, and likely networked pipeline behavior, yet it declares no permissions. This creates a transparency and trust-boundary problem: a caller may invoke the skill without understanding that it can read/write local data roots and trigger external activity, increasing the chance of unintended side effects or over-privileged use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared description frames the skill as an operational wrapper for running and inspecting a digest pipeline, but the detected behavior implies much broader capabilities including fetching untrusted web content, calling external model/services, performing enrichment, rendering outputs, and manipulating published artifacts. That mismatch is dangerous because it can mislead operators about the real attack surface, data flows, and side effects, making risky actions appear routine and increasing the likelihood of unintended network access, data exfiltration, or publication of attacker-influenced content.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script loads an API key from environment variables and performs direct calls to an external LLM service, creating a real data-exfiltration boundary and expanding the skill's capabilities beyond simple pipeline operation. In the rss-brew context, this is notable because article data and metadata are transmitted off-box to a third party without the capability being clearly reflected in the stated skill purpose.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file implements substantive external AI-based article scoring, which is a materially different capability from merely operating a digest pipeline via CLI. This mismatch is security-relevant because hidden or under-disclosed capabilities can cause operators to run code that sends content externally or makes trust-sensitive decisions they did not expect.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file implements outbound web search to Tavily and sends user-provided queries plus an API key to a third-party service, but that capability is not disclosed by the skill's stated RSS-Brew pipeline purpose. Hidden network functionality increases the risk of unexpected data exposure and makes it harder for operators to evaluate trust boundaries and consent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script’s CLI description states it updates delivery state without mutating pipeline state, but it directly edits the manifest file by adding or changing delivery-related fields. This mismatch is dangerous because operators or downstream automation may rely on the claim of non-mutation and unintentionally alter canonical run metadata, causing audit confusion, incorrect retries/finalization behavior, or corruption of workflow assumptions.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The README explicitly instructs users to run commands that write run records, digests, and state to disk and to use external APIs for LLM scoring and enrichment, but it does not clearly warn that feed content and derived summaries may be persisted locally and transmitted to third-party services. This is dangerous because users may process sensitive or private feed data without realizing the privacy, retention, and data-sharing implications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The runbook includes commands for real execution and delivery-status updates that can mutate production-like data, but it does not place any clear warning immediately around those commands about side effects, irreversibility, or the need to confirm the target data root. In an operational skill, this increases the chance of accidental state changes, misdelivery marking, or corruption of run metadata by a human or agent following the documentation verbatim.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function sends article title, source, publication date, URL, and article content to an external chat-completion service, which is a real data-sharing/privacy risk if feeds contain proprietary, internal, or personal information. In this pipeline context, the transfer is core to functionality, but the lack of disclosure, minimization, and consent means operators may unknowingly export content off-box to a third-party model provider.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The design explicitly introduces external network calls to Reddit, Hacker News, linked pages, and Tavily enrichment, but does not specify any user-facing disclosure, consent, or data-minimization boundary for what article content, titles, or queries may be transmitted to third parties. In a content-processing pipeline, silent transmission of internal or sensitive article text to external services can create a privacy and data-governance risk even if the feature is optional and intended for legitimate enrichment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The usage guide gives concrete commands for real-data runs and delivery-status mutation against a production-like data root, but it does not clearly warn that these operations can modify persistent state or trigger downstream delivery workflow changes. In an agent-skill context, documentation is often treated as executable guidance, so omission of safety boundaries increases the chance of unintended writes, false delivery state changes, or accidental live operations.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The script accepts arbitrary URLs from command-line input and fetches them directly, which creates a server-side request forgery style primitive if this tool is run in a trusted network environment. An attacker who can influence the input URLs could cause requests to internal services, cloud metadata endpoints, or other sensitive network locations, and the RSS-brew context makes this more dangerous because feed ingestion pipelines commonly process externally supplied feed sources automatically.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code sends title, source, publication date, URL, and article summary/text to an external API without any in-file disclosure, consent flow, or redaction step. That is dangerous because article content may include proprietary, embargoed, or sensitive material, and operators may not realize it is being transmitted to a third-party provider.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends article titles directly to an external search provider, which transmits content-derived data off-box without any consent gate, warning, or sanitization. If article titles contain unpublished, internal, or sensitive information, this creates a real data disclosure risk to a third party and broadens the skill’s trust boundary beyond the stated RSS pipeline operations.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The code accesses a sensitive API credential and later includes it in an outbound request to a third-party service without any disclosure in the skill context or visible user warning. In an agent skill, undisclosed secret usage and transmission can violate operator expectations and may enable unreviewed external interactions.

Ssd 1

Medium
Confidence
94% confidence
Finding
Untrusted article text is interpolated directly into the model prompt, so embedded instructions in article content can influence the scorer's output or formatting despite the system prompt. In this workflow, that can corrupt ranking decisions, trigger malformed responses, or cause the model to ignore the intended rubric, undermining integrity of the digest pipeline.

Credential Access

High
Category
Privilege Escalation
Content
if key:
        return key

    env_path = Path.home() / ".openclaw" / ".env"
    if not env_path.exists():
        return None
Confidence
84% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser
trafilatura
pyyaml
pydantic
Confidence
97% confidence
Finding
feedparser

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser
trafilatura
pyyaml
pydantic
openai
Confidence
97% confidence
Finding
trafilatura

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser
trafilatura
pyyaml
pydantic
openai
pytest
Confidence
99% confidence
Finding
pyyaml

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser
trafilatura
pyyaml
pydantic
openai
pytest
Confidence
96% confidence
Finding
pydantic

Unpinned Dependencies

Low
Category
Supply Chain
Content
trafilatura
pyyaml
pydantic
openai
pytest
Confidence
95% confidence
Finding
openai

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyyaml
pydantic
openai
pytest
Confidence
91% confidence
Finding
pytest

Known Vulnerable Dependency: feedparser — 10 advisory(ies): CVE-2011-1157 (feedparser Cross-site Scripting vulnerability); CVE-2009-5065 (feedparser Cross-site Scripting vulnerability); CVE-2011-1158 (feedparser Cross-site Scripting vulnerability) +7 more

High
Category
Supply Chain
Confidence
75% confidence
Finding
feedparser

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
95% confidence
Finding
pyyaml

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal