Back to skill

Security audit

HF Daily Researcher V2

Security checks across malware telemetry and agentic risk

Overview

This paper-research skill is not malicious, but it needs review because it can read local profile and memory files to personalize research and has an external Feishu report path.

Install only if you are comfortable with the skill reading local OpenClaw profile and memory files to infer your research interests, storing that context in its config/history/reports, spawning sub-agents for analysis, and potentially uploading reports to Feishu when configured. Prefer manual research-topic configuration and keep cloud upload disabled unless you have reviewed the report contents and destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill describes capabilities that read environment state and perform local file reads/writes, but no explicit permissions are declared. In a skill system, undeclared capability use weakens user consent and platform policy enforcement, and can lead to unexpected access to local data or persistent state changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior extends beyond the advertised research workflow by inferring user identity and research interests from local profile/memory files and environment sources, while not clearly disclosing that collection. That mismatch is dangerous because users may invoke a paper-research skill without realizing it also mines personal workspace data and persists it for future runs.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as a paper tracking/reporting workflow, but the documented behavior includes saving reports locally and uploading them to Feishu. That creates an undeclared outbound data flow: reports may contain user-specific research focus, derived analysis, and possibly content sourced from profile files, so transmission to a third-party service expands exposure beyond the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The initialization step reads USER.md and MEMORY.md to extract research direction and keywords, which is broader access than a paper search skill minimally needs. Pulling from general profile/memory stores risks collecting unrelated sensitive context and reusing it in searches, reports, or external uploads without clear scope limitation.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The prompt forbids writing to the filesystem, but the workflow later assumes a local file such as /tmp/paper_{arxiv_id}.html exists for grep/read operations. This inconsistency can cause agents to improvise unsafe behavior, create temporary files despite policy, or fail open in ways that bypass intended isolation boundaries.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The instructions first say not to use curl or wget because the environment may not support them, then later say the agent 'must use curl' to download full HTML. Contradictory execution guidance increases the chance an agent will attempt disallowed or unreliable shell/network actions, weakening control over tool usage and creating unpredictable behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The initialization logic reads USER.md, MEMORY.md, and recent memory/*.md files to infer the user's name, institution, and research interests without an explicit opt-in in this script. Even though the goal appears to be convenience rather than exfiltration, it performs profile-building from sensitive workspace data beyond what many users would expect from an initializer, creating a privacy and over-collection risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that it automatically extracts research direction and keywords from USER.md and MEMORY.md, but provides no privacy warning or consent prompt to the user. Accessing personal profile or memory files without transparent disclosure can expose sensitive preferences, project details, or other contextual data beyond what users expect for a paper-tracking task.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The workflow says the generated report is saved locally and uploaded to Feishu, but does not warn the user about outbound transmission. Because reports can include synthesized research interests, internal priorities, and content derived from local profile files, silent export to an external platform creates a meaningful confidentiality and compliance risk.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill instructs shell access against /tmp/paper_{arxiv_id}.html without disclosing that the workflow depends on local temporary-file creation or presence. In isolation this is not severe, but it encourages hidden local-state assumptions and can push the agent toward unnecessary file handling that may conflict with sandbox or data-governance expectations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
save_report() automatically calls clean_local_old_reports() before writing a new report, which deletes matching files in the configured save directory without user confirmation. Because filenames and directories are partly configuration-driven, a misconfiguration or overly broad matching pattern could cause unintended loss of local report data, especially in an automated agent workflow.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to extract a user's research focus from personal memory/profile files and persist it for later use. Even if framed as convenience, this collects and stores potentially sensitive profile information from local files without a clearly documented opt-in boundary, creating privacy and secondary-use risk.

Ssd 3

Medium
Confidence
92% confidence
Finding
Persisting user-confirmed research interests into configuration for reuse in scheduled automated runs creates a durable profile of the user. That persistence increases exposure if the workspace is shared, later compromised, or if future runs use the stored profile in ways the user no longer expects.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill states that it saves outputs locally and uploads them to Feishu, and those outputs may contain user-derived research context and generated reports. Sending such material to an external platform can expose sensitive internal interests, projects, or inferred profile data, especially if users are not given explicit upload consent and destination visibility.

Ssd 3

Medium
Confidence
90% confidence
Finding
Telling the agent to output the full analysis directly in the reply instead of saving selectively can increase the risk of reproducing sensitive, copyrighted, or unintended content from fetched source material. When the source is external and potentially adversarial, direct verbatim relay amplifies data-exposure risk and can leak more than the user actually needs.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.