ClawHub
Back to skill

Security audit

News Aggregator Skill

Security checks across malware telemetry and agentic risk

Overview

The skill’s network fetching and local report generation fit a news aggregation purpose, with only minor usability/scoping cautions.

Install only if you are comfortable with the skill fetching and parsing external news pages and saving generated reports locally. Review or restrict the source list if you need tighter control over which sites are contacted, and expect output to default to Simplified Chinese unless the skill is changed or overridden.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The menu/help trigger is defined as the exact phrase or loosely similar variants, which creates an overly broad activation condition. In an agent setting, ambiguous triggers can cause unintended execution of skill behaviors, including reading local files and steering the conversation flow, when the user did not clearly intend to invoke the menu.

Natural-Language Policy Violations

Medium
Confidence
77% confidence
Finding
The skill mandates Simplified Chinese output regardless of user preference or environment, which can override user intent and reduce transparency or usability for non-Chinese readers. In agent systems, forced locale behavior is a policy-quality issue because it can degrade user control and make outputs less reviewable, though it does not by itself create direct code-execution or data-exfiltration risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.