ClawHub

Follow Builders

Security checks across malware telemetry and agentic risk

Overview

This digest skill is legitimate in purpose, but it gives unpinned remote prompts, scheduled background jobs, and local delivery credentials enough control that users should review it before installing.

Install only if you are comfortable with a skill that fetches current prompt instructions from GitHub, stores Telegram or Resend credentials locally when enabled, and may create recurring scheduled jobs. Prefer stdout/on-demand mode if you do not need automatic delivery, inspect any cron entry it creates, and avoid adding third-party keys unless you need off-terminal delivery.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The manifest declares environment requirements and the workflow performs network operations, but there is no explicit permission declaration covering those capabilities. This creates a transparency and governance gap: users and hosting platforms may not realize the skill accesses secrets and transmits data externally. In a skill that also sets up delivery and persistence, undeclared capabilities materially increase risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a content-digest tool, but the instructions also collect credentials, write local config and .env files, modify cron, and deliver content through third-party services. This mismatch can mislead users into consenting to broader behavior than expected, including persistent background execution and external data transmission. Hidden breadth of behavior is a security-relevant trust violation even if the stated end goal is legitimate.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill goes beyond summarization and instructs the agent to perform local system configuration, including writing files and preparing persistent behavior. Expanding from content generation into host modification increases attack surface and can surprise users, especially when triggered by a broad command like /ai. The context makes this more dangerous because the skill may run in developer environments with access to sensitive local state.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill modifies scheduling infrastructure via OpenClaw cron or system crontab, creating persistent autonomous execution. Persistent scheduled tasks can continue running after the user forgets about them, repeatedly accessing local configuration and transmitting digests to external services. In a summarization skill, this is broader than necessary and increases the consequence of misconfiguration or abuse.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The onboarding flow collects third-party delivery credentials and personal contact data, then stores them locally. While related to delivery, this is a sensitive capability not obvious from the manifest and raises risks of accidental exposure, insecure local storage, or exfiltration by other tools on the host. The danger is elevated because users are told to place secrets in plaintext .env files without a storage/privacy warning.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The documentation says no API keys are needed for stdout/right-here delivery, yet the manifest requires SUPADATA_API_KEY. This discrepancy can cause users to run the skill under false assumptions about secret requirements and data access. Misleading documentation around secrets is security-relevant because it undermines informed consent and may encourage overprovisioning of credentials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that the first digest will be pushed immediately after setup, which can trigger outbound delivery before the user has fully appreciated that external messaging may occur. In a skill that supports Telegram, email, or other chat delivery, this creates a real risk of unintended data transmission, spammy behavior, or accidental use of a configured third-party channel without an explicit final confirmation step.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The broad trigger phrase and especially the short command /ai can collide with generic user requests, causing the skill to activate unexpectedly. Because this skill performs onboarding, writes files, and may set up persistence, accidental invocation has more serious consequences than a normal read-only summarization tool. The skill context therefore amplifies the danger of overbroad activation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to collect and store Telegram bot tokens, Resend API keys, chat IDs, and email addresses without an explicit privacy/storage warning. Storing these values in local files can expose them to other local users, backup systems, logs, or unrelated tools. In a skill that also configures autonomous delivery, silent collection of sensitive data is a meaningful security weakness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill creates persistent scheduled jobs but does not clearly warn that they will continue running automatically and may transmit content later. Users may not realize they are authorizing background activity beyond the current session. This is especially risky in non-persistent-agent contexts where crontab execution bypasses the interactive agent and continues unattended.

External Transmission

Medium
Category
Data Exfiltration
Content
Then add the token to the .env file. To get the chat ID, run:
```bash
curl -s "https://api.telegram.org/bot<TOKEN>/getUpdates" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d['result'][0]['message']['chat']['id'])" 2>/dev/null || echo "No messages found — make sure you sent a message to your bot first"
```

Save the chat ID in config.json under `delivery.chatId`.
Confidence
84% confidence
Finding
https://api.telegram.org/

Session Persistence

Medium
Category
Rogue Agent
Content
Use system crontab so it runs even when the terminal is closed:
```bash
SKILL_DIR="<absolute path to the skill directory>"
(crontab -l 2>/dev/null; echo "<cron expression> cd $SKILL_DIR/scripts && node prepare-digest.js 2>/dev/null | node deliver.js 2>/dev/null") | crontab -
```
Note: this runs the prepare script and pipes its output directly to delivery,
bypassing the agent entirely. The digest won't be remixed by an LLM — it will
Confidence
97% confidence
Finding
crontab -l

Session Persistence

Medium
Category
Rogue Agent
Content
1. Go to https://resend.com
2. Sign up (free tier gives 100 emails/day — more than enough)
3. Go to API Keys in the dashboard
4. Create a new key and copy it

Add the key to the .env file.
Confidence
79% confidence
Finding
Create a new key and copy it Add the key to the .env file. **If they choose on-demand:** Set `delivery.method` to `"stdout"`. Tell them: "No problem — just type /ai whenever you want your digest. No

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal