ClawHub

Pings News (News Agent)

Security checks across malware telemetry and agentic risk

Overview

This news skill is instruction-only and purpose-aligned, but it can send and locally store an email address for Wink Pings personalization.

Install this only if you are comfortable using Wink Pings for broad AI-news requests. Provide only your own Wink/Pings email, understand it may be stored locally in plain text and sent to wink.run as user_id, and delete skills/pings/pings-user-email if you no longer want automatic reuse.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill’s trigger conditions are overly broad: generic requests for 'latest AI news' are forced into this specific third-party news skill, even when the user did not ask for Pings or consent to using that service. This can cause incorrect skill routing and unnecessary collection/use of the user’s email as a persistent identifier, increasing privacy risk and reducing user control.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation explicitly recommends sending a user's email as `user_id` in a URL query string. Query parameters are commonly logged by browsers, proxies, analytics systems, server access logs, and monitoring tools, which can expose personally identifiable information without the user's awareness. In this skill's context, the email is used to bind a personal subscription, so the identifier is both sensitive and directly linked to user-specific content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal