ClawHub

Trend Tap

Security checks across malware telemetry and agentic risk

Overview

Trend Tap mostly does what it says, but it includes optional persistent cron scheduling and an undisclosed hardcoded Weibo session-style cookie, so users should review it before installing.

Install only if you are comfortable with a skill that makes live requests to several public platforms and can create a recurring cron job when asked. Review the scheduler before using it, and be aware that the Weibo fallback includes a hardcoded cookie despite the no-auth claim.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares only Bash and Read tooling, but its documented behavior implies network access, shell execution, file writes, and persistent state changes. This matters because users and reviewers may believe the skill is a simple read-only trend lookup, while it can also modify local state and schedule recurring execution, expanding the attack surface and reducing informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is an on-demand trending-topics aggregator, but the workflow also includes persistent scheduled jobs and archived writes under the user's home directory. That mismatch is dangerous because it hides materially different behavior than users would expect from an ephemeral lookup tool, enabling unnoticed persistence and continued execution after the initial interaction.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
A trend lookup skill that also documents scheduled execution via cron introduces persistence beyond the immediate user request. Persistent execution is security-relevant because it can continue making network calls and writing files over time, increasing the consequences of misuse, compromise, or accidental activation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Granting crontab management to a skill whose core function is fetching trends is excessive privilege. Over-broad capabilities are dangerous because they allow persistent system modification unrelated to the primary task, and any prompt-routing or misuse of the skill can leverage that extra power.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file adds persistent system-scheduler behavior to a skill whose stated purpose is real-time trend aggregation. That mismatch increases risk because the skill can modify the user's environment in a durable way that users may not expect from the manifest description.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The script invokes system cron management through subprocesses, enabling persistent scheduled execution outside the immediate user request flow. In the context of a trend-query skill, this capability is unnecessarily powerful and could be abused to run recurring tasks without clear user awareness.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill description emphasizes live trend aggregation, but the code includes a hidden persistence feature via --save that writes fetched data to ~/.openclaw/trend-tap/daily/. This is not inherently malicious, but it expands the data-handling surface beyond transient lookup behavior and can create undeclared local retention of browsing/query-related outputs.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Local file-write capability is broader than what users would expect from a simple trend lookup skill, especially when the advertised purpose is just fetching and displaying live results. Even though the current write path is fixed to a user directory and the written content is only JSON results, unnecessary write permissions increase risk and can enable silent accumulation of local data.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The documented trigger phrases include very broad terms like "trend," "trends," and generic requests about what is "trending/hot," which can overlap with normal conversation and cause unintended skill activation. In an agent environment, overbroad invocation can lead to unnecessary network access across multiple external platforms, unexpected data retrieval, and reduced user control over when the skill runs.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The documented trigger phrases are broad natural-language terms such as 'trends', '热搜', and 'what is trending/hot', which are likely to overlap with ordinary conversation and cause unintended skill activation. In an agent context, this can trigger unsolicited network access and external content retrieval, increasing the risk of prompt-routing abuse, privacy leakage in context, and confusing or noisy behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Trigger phrases like 'what's happening' and other broad everyday requests can cause the skill to activate unintentionally in contexts where the user did not specifically ask for this tool. Because the skill can make network calls and, in some paths, manage persistence, accidental invocation increases the chance of unintended data access, actions, or confusing tool behavior.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The manifest description advertises broad trigger conditions without enough constraints, making over-activation more likely. In this skill's context, that is more dangerous than a harmless false trigger because the skill is not purely passive; it can fetch external data and offers persistent scheduling functionality.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented cron commands enable persistent system changes without any warning that they modify the user's crontab and may continue running indefinitely. Silent persistence is dangerous because users may not realize they have installed a recurring task that performs ongoing network activity and file writes, which can create privacy, integrity, and operational risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code overwrites the user's crontab content without any explicit warning, interactive confirmation, or dry-run preview. Persistent task creation and removal are sensitive operations, and performing them silently makes unintended configuration changes more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal