ClawHub

Claw Cctv News Fetcher

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow CCTV news fetcher; its network use is expected, though users should know it sends a bundled cookie header when fetching pages.

Install only if you are comfortable with the agent running a bundled JavaScript crawler that makes outbound requests to CCTV/CNTV news pages. The publisher should ideally remove the hardcoded cookie, validate dates strictly, and document allowed domains, but the artifacts do not show local data access, persistence, destructive behavior, or exfiltration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill instructs the agent to execute a local script that fetches external news content, which implies network access, but the skill does not declare any permissions. This creates a capability/permission mismatch that can bypass policy review and make network-enabled behavior less visible to operators, though the stated use case itself appears legitimate.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The crawler includes a hardcoded Cookie header in every outbound request, which embeds stateful identifier data into traffic without necessity or user awareness. Even if this specific cookie is not a secret account credential, hardcoding and replaying cookies is unsafe because it can leak tracking identifiers, normalize sending stale credentials, and create privacy/compliance issues or unintended authenticated behavior if reused elsewhere.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal