ClawHub

AI News Digest (中文版)

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill’s news-digest behavior is coherent, but its documented pipe-to-shell installers create avoidable high-impact install risk.

Install through the ClawHub/openclaw flow when possible. Avoid the curl | bash or irm | iex commands unless you first download and inspect the installer or use a pinned, trusted release. After installing, expect the skill to fetch public news sources and create or update markdown files under Desktop/ai-news unless you specify another path or mode.

SkillSpector (4)

By NVIDIA

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The README explicitly describes writing output files to the desktop and archiving prior versions, but it does not prominently warn users that invoking the skill modifies local files and may overwrite/update previous reports. In an agent context, silent file creation or archival can surprise users and cause unintended persistence or clutter, especially when broad natural-language triggers are also advertised.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad enough to activate on ordinary conversation about AI news, which can cause the agent to perform network fetching and filesystem writes without the user clearly intending to invoke this skill. Because the skill may create directories, read prior digest files, and write reports by default, over-broad activation expands the chance of unintended side effects.

External Script Fetching

Low
Category
Supply Chain
Content
#!/usr/bin/env bash
# ai-news-digest skill installer (Claude Code)
# Usage: curl -fsSL https://raw.githubusercontent.com/yan1sanjin/ai-news-digest/main/install.sh | bash

set -e
Confidence
97% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/yan1sanjin/ai-news-digest/main/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
#!/usr/bin/env bash
# ai-news-digest skill installer (Claude Code)
# Usage: curl -fsSL https://raw.githubusercontent.com/yan1sanjin/ai-news-digest/main/install.sh | bash

set -e
Confidence
98% confidence
Finding
| bash

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal