ClawHub

info-research-report

Security checks across malware telemetry and agentic risk

Overview

The skill does match its stated report-generation purpose, but it can automatically send reports by email and even falls back to a fixed QQ address when no recipient is supplied.

Review before installing. Only run it with an explicit, verified recipient email, avoid sensitive or regulated source material unless MiniMax/OpenAI and email transmission are acceptable, use --no-fetch for untrusted results, and set OPENCLAW_SKILLS_DIR only to a trusted skills directory containing a trusted email-mail-master installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill routes fetched webpage content and generated summaries to third-party LLM providers and invokes external tooling for content retrieval and email delivery, which expands data exposure beyond a simple report-generation workflow. Although parts of this are mentioned in warnings and requirements, the top-level description understates the privacy and trust implications, so users may provide sensitive material without understanding that external services will process it.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill executes another skill's mail.py from a path partly controlled by OPENCLAW_SKILLS_DIR, creating a cross-skill trust boundary violation. If that directory or script is replaced, the report skill will run attacker-controlled Python code under the current user's privileges when sending mail.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly advertises automatic emailing of generated reports, but it does not clearly warn users that report contents may be transmitted to an external recipient. Because these reports may contain scraped, summarized, or sensitive research data, omission of an explicit transmission warning can cause unintended data disclosure and unsafe use in sensitive environments.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README states that the skill supports web content fetching and analysis, but it does not prominently warn that this performs network access and retrieves untrusted external data. In a security-sensitive or air-gapped setting, this can surprise users, expand the attack surface, and lead to ingestion of malicious or sensitive remote content without informed consent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The code sends prompts and potentially large amounts of fetched webpage content to third-party LLM APIs without an explicit consent gate or data-classification check. In a research workflow, scraped pages may contain sensitive, proprietary, or regulated information, so undisclosed off-box transmission can create confidentiality, compliance, and privacy exposure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill automatically fetches arbitrary URLs from result data using an external browser tool, with only a generic informational print and no real confirmation or safety policy. In context, this can access attacker-supplied URLs, causing unintended network interactions, internal resource access through a capable fetcher, or reputational/compliance issues from contacting remote sites automatically.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script emails the generated report and attachment to the supplied recipient automatically, without an upfront confirmation step or recipient validation beyond command-line input. Because the report aggregates fetched content and model-generated analysis, this can cause unintentional external disclosure of potentially sensitive research outputs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal