ClawHub

AI前沿哨兵

Security checks across malware telemetry and agentic risk

Overview

This AI news-reporting skill mostly matches its purpose, but it needs user review because it mixes broad web collection with optional credentials, insecure browser token storage, arbitrary feed fetching, and a cross-skill script execution path.

Install only if you are comfortable with a Review-level public-intelligence collector. Use an isolated environment, pin dependencies, avoid putting secrets in USER.md or MEMORY.md, do not enter a Twitter/X bearer token in the web UI unless necessary, prefer environment or secrets-file storage for tokens, review any custom RSS URLs before fetching them, and do not enable the follow-builders integration unless you trust and have reviewed that separate skill. VirusTotal was still pending and was not used as the basis for this verdict.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file claims the skill 'only uses official public APIs', but earlier sections explicitly allow fallback web scraping and user-configurable RSS sources, including arbitrary 'other' feeds. This mismatch can mislead reviewers and users about the actual network exposure and trust boundaries, causing unsafe assumptions during deployment and audit.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document states data is 'not uploaded to any third-party server', yet the same file authorizes outbound requests to multiple third-party APIs and websites. Even if only public-query traffic is sent, the statement is materially inaccurate and may conceal that user prompts, query terms, IP metadata, and request headers can be disclosed to external services.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The report asserts that all API calls are official public APIs, but elsewhere it explicitly documents non-API scraping of GitHub Trending pages, arbitrary user-configured RSS feeds, and generic web page fetching. This mismatch is a security-relevant integrity issue because it can mislead reviewers about the actual network exposure, trust boundaries, and content ingestion risks of the skill.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The report claims there is no data exfiltration behavior while also describing authenticated Twitter API use and outbound requests to user-configured external RSS sources without showing controls. Even if the current design is read-oriented, the unsupported assurance is unsafe because it downplays possible credential misuse, metadata leakage, or unintended transmission through external requests.

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The safety statement claims collection is limited to public intelligence, but the workflow explicitly loads local files such as USER.md and MEMORY.md. Even if intended for personalization, this is still local data ingestion and could expose sensitive project context if users are not clearly warned.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs execution of a Node.js script from another installed skill, creating a supply-chain and trust-boundary issue. A news-tracking skill invoking external local code can execute arbitrary behavior inherited from that dependency, which is more dangerous than simply fetching public content.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The prominent safety statement says the skill only obtains publicly accessible information, yet the documented behavior also includes reading local configuration/context files and running a local helper script. This kind of misleading assurance can cause users to underestimate the true access scope and approve risky actions they otherwise would question.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
This packaging script is framed as producing a package that can 'pass security checks' and explicitly instructs operators to submit a VirusTotal false-positive appeal. That combination is risky because it normalizes bypassing or influencing security review through reputation-management language rather than through transparent remediation and independent validation, which can help conceal unsafe contents in distributed artifacts.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad terms like general AI/news phrases, which can cause accidental invocation in unrelated conversations. Because the skill has filesystem, network, and shell capabilities, unintended activation raises the chance of unneeded web access, local file reads, or report generation without clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow instructs reading local configuration files and writing reports to disk but does not clearly present these as sensitive operations requiring notice and consent. Users may not realize the skill will touch local files, which is risky in a context where project memory files can contain internal strategy or proprietary information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill performs extensive outbound web collection and references third-party feeds/scripts, yet it does not clearly warn users about network access or what data may be sent externally. In a reporting skill, silent outbound requests can expose prompts, search terms, or contextual data to third-party services.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The parser performs outbound HTTP requests to RSS URLs taken from configuration without any allowlist, scheme restriction, or user-facing disclosure. If an attacker can influence the feed URL, this can be abused for SSRF-style access to internal services, unexpected network egress, or contacting sensitive endpoints from the agent environment.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The validation helper issues a live network request to a user-supplied URL and returns parsed metadata, which means 'validation' itself triggers outbound access. This can be abused the same way as the main fetch path for SSRF and unintended egress, and the helper name may reduce operator suspicion because it sounds harmless.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function allows callers to disable TLS certificate validation by setting verify_ssl=False, which creates an SSL context with hostname checks disabled and CERT_NONE. In a networked skill that fetches external intelligence feeds, this enables man-in-the-middle attacks, spoofed responses, and tampering with data integrity if the option is ever used in production.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The Twitter/X bearer token is persisted in localStorage, which is readable by any JavaScript executing in the page origin, including injected script from an XSS flaw or a malicious third-party dependency. In this skill, the risk is heightened because the app frequently injects user-controlled values into the DOM with innerHTML, making token theft a realistic follow-on impact if any script injection occurs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal