ClawHub

feed-diet

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it audits HN/RSS reading habits, with privacy-relevant but disclosed feed fetching, local caching, and optional LLM classification.

Install if you are comfortable with the skill fetching HN/RSS data and possibly sending feed item titles and URLs to your configured LLM provider. Use the keyword fallback or avoid setting provider access if feed privacy matters, and clear the local feed-diet cache after sensitive audits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly states that batches of user reading-history items are sent to Anthropic or OpenAI for classification, but it does not clearly warn users that their feed contents, titles, and possibly URLs or other consumption data will leave the local environment and be transmitted to third-party AI providers. This is dangerous because reading history can reveal sensitive interests, work topics, health or political interests, and other personal profiling data, so users may unknowingly disclose private behavioral data to external services.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Several trigger phrases such as "reading habits" and "what am I reading" are broad everyday language that could activate the skill in contexts where the user did not intend a feed audit. Unintended activation is risky here because the skill can fetch external data, parse local OPML paths, and potentially send content to a classifier, turning a prompt-routing issue into an unnecessary privacy and execution event.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that fetched items are piped through a classifier that may use OpenAI or Anthropic if API keys are present, but it does not clearly warn the user that their feed contents may be sent to third-party LLM providers. Because HN activity and RSS subscriptions can reveal sensitive interests, work topics, or personal preferences, silent transmission to external services creates a meaningful privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script sends item titles and URLs to third-party LLM services when API keys are present, but the script itself provides no explicit consent gate, warning, redaction step, or privacy control before transmission. Because feed items can contain sensitive or internal URLs/titles, this creates a real data-exposure risk rather than a purely theoretical concern.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script pipes fetched HN/RSS content into classify.sh, and the help text explicitly indicates classification may use ANTHROPIC_API_KEY or OPENAI_API_KEY. That means potentially sensitive feed contents, reading habits, or private OPML-derived article metadata can be transmitted to third-party APIs without an explicit runtime consent prompt or warning at the point of execution. In a tool that audits a user's information diet, this is a meaningful privacy risk even if it is likely intended functionality rather than malicious exfiltration.

External Transmission

Medium
Category
Data Exfiltration
Content
max_tokens: 1024,
        messages: [{role: "user", content: $prompt}]
      }')
    RESULT=$(printf '%s' "$request_body" | curl -sf --max-time 30 \
      -H "x-api-key: ${ANTHROPIC_API_KEY}" \
      -H "anthropic-version: 2023-06-01" \
      -H "content-type: application/json" \
Confidence
97% confidence
Finding
curl -sf --max-time 30 \ -H "x-api-key: ${ANTHROPIC_API_KEY}" \ -H "anthropic-version: 2023-06-01" \ -H "content-type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
max_tokens: 1024,
        messages: [{role: "user", content: $prompt}]
      }')
    RESULT=$(printf '%s' "$request_body" | curl -sf --max-time 30 \
      -H "Authorization: Bearer ${OPENAI_API_KEY}" \
      -H "content-type: application/json" \
      -d @- \
Confidence
97% confidence
Finding
curl -sf --max-time 30 \ -H "Authorization: Bearer ${OPENAI_API_KEY}" \ -H "content-type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
-H "anthropic-version: 2023-06-01" \
      -H "content-type: application/json" \
      -d @- \
      https://api.anthropic.com/v1/messages 2>/dev/null | jq -r '.content[0].text // empty' 2>/dev/null) || RESULT=""
  fi

  # Method 3: Use OPENAI_API_KEY
Confidence
90% confidence
Finding
https://api.anthropic.com/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer ${OPENAI_API_KEY}" \
      -H "content-type: application/json" \
      -d @- \
      https://api.openai.com/v1/chat/completions 2>/dev/null | jq -r '.choices[0].message.content // empty' 2>/dev/null) || RESULT=""
  fi

  # Method 4: Rule-based fallback (keyword matching)
Confidence
90% confidence
Finding
https://api.openai.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal