Ai News Skills

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed AI-news automation skill that writes reports to configured Feishu destinations, with risks mainly around scheduled sharing, the Jina URL proxy, and installer side effects.

Before installing, review install.sh because it installs an external Python package and overwrites existing ai_news_fetcher/ai_news_reporter directories under your OpenClaw skills folder. Only configure Feishu tables, wiki spaces, and chat IDs you intend the automation to write to, and start cron jobs only after a manual dry run. Do not add private or internal URLs as news sources unless you are comfortable sending those URLs to r.jina.ai.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README prominently describes automatic writes to Feishu tables, knowledge bases, group chats, and local files, but it does not pair those capabilities with an explicit privacy/data-sharing warning or consent guidance. In this skill context, the automation is intended functionality, but the absence of clear disclosure increases the risk that users unknowingly publish scraped or AI-generated content to external systems on a recurring basis.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The Quick Start tells users to hand a remote install URL to an AI agent so it can automatically install and configure dependencies, which can lead to unreviewed system changes and execution of fetched instructions. In this context, the risk is elevated because the workflow explicitly encourages agent-mediated installation of additional software and configuration without first directing the user to inspect what will be run.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The cron examples automate recurring delivery of generated reports to Feishu knowledge bases and group chats, but they do not clearly warn that this creates ongoing outbound data sharing and persistence in external services. In a reporting skill, such automation is expected, yet the lack of explicit caution makes accidental over-sharing more likely, especially when AI-generated summaries may include sensitive notes or misclassified content.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The install guide tells users to clone a repository and execute `./install.sh` without any warning that this runs repository-controlled code and may modify the local system. While common in open-source setup docs, this still creates a real supply-chain and arbitrary-code-execution risk if the repository or script is malicious, compromised, or reviewed insufficiently.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The instructions ask users to copy config templates and populate Feishu/Bitable identifiers and URLs, but provide no guidance on sensitivity, storage, or sharing. These values may not always be full secrets, but they can expose internal workspace structure or enable misuse if mishandled, especially if later committed to source control or shared in support logs.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The description states a broad capability to fetch the day's raw news and write it into a Feishu table, but it does not define activation boundaries, source constraints, or authorization conditions. In an agent setting, vague scope can cause the skill to be invoked in unintended contexts, leading to over-collection of data, interaction with untrusted sources, or writes to external systems without sufficiently narrow user intent.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The default prompt is broad enough to trigger collection and writing actions without clear user scoping, confirmation, or constraints on when the skill should be invoked. In a workflow that fetches external content and writes into Feishu, this increases the risk of unintended autonomous execution, over-collection, or data being written to the wrong destination if the skill is implicitly invoked from loosely related requests.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The default prompt authorizes a broad, multi-step workflow: reading news from Feishu, building signals, updating a daily report document, and preparing a morning briefing, but it does not define clear user-trigger conditions, scope limits, or confirmation requirements before modifying documents. In a skill with implicit invocation enabled, this increases the chance of unintended autonomous execution and overreach into data access or document updates beyond what the user explicitly requested.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill specifies automatic delivery of weekly reports and deep-analysis documents to a target group in cron mode, but it does not require explicit user confirmation, preview, or recipient verification before external dissemination. This creates a real risk of unintended disclosure, especially because the workflow aggregates content from multiple sources and can run unattended.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill mandates fetching article content through `curl -s "https://r.jina.ai/URL"`, which sends target article URLs to a third-party proxy service without any disclosure or consent mechanism. This can leak browsing targets, internal-only links if ever supplied, or sensitive research context to an external service, and the requirement is explicit rather than incidental.

External Script Fetching

High

Category: Supply Chain
Content: ### Step 1：抓取列表页 ```bash curl -s "https://r.jina.ai/URL" ``` 用 `exec` 运行，**不要用 `web_fetch` 工具**（两者结果不同）。
Confidence: 83% confidence
Finding: curl -s "https://r.jina.ai/URL" ``` 用 `exec` 运行，**不要用 `web_fetch` 工具**（两者结果不同）。 **门控 ◆** 检查返回内容长度 > 200 字节。低于此阈值说明页面为空或被拦截 → 跳过该源，记录原因。 ### Step 2：结构化提取 ```bash python3 normalize_agent_reach.py --

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal