ClawHub

Global News By Opera News

Security checks across malware telemetry and agentic risk

Overview

This is a read-only news lookup skill, with broad activation terms and a US/English fallback that users may want to override.

Install only if you are comfortable sending news topics, city names, and coarse country/language choices to the external FeedNews/Opera News API. For non-US or multilingual use, explicitly state the country and language so the agent does not fall back to us/en.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains very broad terms such as "news," "video," and "what's happening," which are likely to match ordinary user requests that are not intended for this skill. This can cause inappropriate skill activation, route users away from more relevant tools, and increase exposure to unreviewed external content without clear user intent.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The workflow instructs the agent to infer country and language from location or language and to default to `us/en` when unclear, without explicit user confirmation. This can lead to incorrect regional assumptions, privacy-sensitive inference about user location, and delivery of news content from the wrong jurisdiction or language context.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The notes explicitly enforce a `us/en` default market, which hardcodes a locale choice without user opt-in. In a news skill, this can bias content selection, produce misleading results for international users, and undermine user autonomy over regional and language preferences.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal