ClawHub

Ai Daily

Security checks across malware telemetry and agentic risk

Overview

This AI news-report skill mostly does what it claims, but it weakens HTTPS protection and includes under-disclosed automation and external sharing paths that users should review first.

Review before installing. Restore normal HTTPS certificate verification, remove the unused GitHub token access, store API keys in a safer scoped location, and delete or reconfigure the DingTalk push script unless you intentionally want reports sent to that exact external group. Use cron or systemd only after reviewing the scheduled command and the persistent service files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The cron example causes a system event to carry and trigger a shell command (`cd ... && bash scripts/generate.sh`), which introduces command-execution behavior into configuration for a content-generation skill. Even if intended for automation, embedding shell execution in a scheduler broadens the attack surface: if the event text, path, or script is modified, the platform may execute arbitrary commands with the agent's privileges.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads credential-like environment variables that are not all necessary for the implemented behavior. In particular, GITHUB_TOKEN is collected but never used, which expands the skill's access to unrelated secrets and creates unnecessary exposure if the process memory, logs, or future code paths are compromised.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide tells users to place long-lived API keys in shell startup files, which makes them persist across sessions and increases the chance of accidental disclosure through dotfile backups, support bundles, shared accounts, or version control. While common in informal setup docs, it omits basic credential-handling warnings and safer alternatives, so it creates a real secret-management weakness.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The installation instructions include privileged system modification commands that create and enable systemd units, but they do not clearly warn that these commands alter persistent host configuration and require elevated privileges. In a skill ecosystem, encouraging users to paste such commands without caution increases the risk of unintended persistence, service misconfiguration, or broader host impact.

Missing User Warnings

High
Confidence
99% confidence
Finding
TLS certificate verification is globally disabled for outbound HTTPS requests by setting check_hostname to false and verify_mode to CERT_NONE. This allows man-in-the-middle interception and tampering of feeds, search results, and article content, which is especially dangerous because the script ingests remote content and republishes it into generated reports.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal