每日新闻搜索与智能摘要

Security checks across malware telemetry and agentic risk

Overview

This news-digest skill mostly matches its stated purpose, but it needs review because it can use a global OpenClaw API config and weakens HTTPS certificate checks during scraping.

Review before installing. Use it only if you are comfortable with scraped article content being sent to a configured LLM provider, and prefer setting NEWS_DIGEST_LLM_API_KEY and NEWS_DIGEST_LLM_BASE_URL explicitly instead of relying on a global OpenClaw config. Be aware it writes digest files to the Desktop and workspace and stores articles in a local SQLite database. The TLS verification bypass should be fixed or accepted consciously because it can let spoofed or modified news content enter the digest.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Tainted flow: 'req' from os.environ.get (line 65, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: ) try: with urllib.request.urlopen(req, timeout=300) as resp: result = json.loads(resp.read().decode('utf-8')) return result.get('choices', [{}])[0].get('message', {}).get('content', '') except Exception as e:
Confidence: 92% confidence
Finding: with urllib.request.urlopen(req, timeout=300) as resp:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill advertises a content-generation workflow but the manifest does not declare the sensitive capabilities it clearly uses: environment-variable access, network fetching, local database/file reads, and file writes. Undeclared capabilities reduce user/operator visibility and consent, making it easier for the skill to access credentials, persist data, and write outputs in unexpected locations without clear review boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose understates materially significant behavior: the skill can call external LLM services with configured credentials, read secrets from the environment, persist scraped content in SQLite, and write outputs to the Desktop and workspace. This mismatch can mislead users and reviewers about data flows and trust boundaries, increasing the chance of unapproved data exfiltration, secret handling, and persistent local side effects.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The fetcher explicitly disables TLS certificate verification for www.gov.cn requests and also retries any SSL failure with verify=False. This allows a man-in-the-middle attacker on the network path to spoof news sites, inject altered article content, and feed untrusted data into downstream parsing, summarization, and storage.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The code reads API credentials and endpoint data from `~/.openclaw/openclaw.json`, which reaches into a broader user-level config unrelated to this specific skill. That creates unnecessary privilege expansion: the skill can consume secrets and service settings the user may not expect it to access, and those values are then used for outbound network calls.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script writes generated content both to the user's Desktop and to a workspace file, which extends its side effects beyond simply producing a digest in-memory or as a returned result. In an agent setting, unexpected filesystem writes can expose sensitive summarized content to other local users/processes and violate least-privilege expectations for a news summarization skill.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Accessing USERPROFILE to locate and write to the Desktop gives the skill reach into a user-specific filesystem location unrelated to core digest generation. In a constrained agent environment, this broadens capability unnecessarily and increases the chance of unintended data exposure or policy violations.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code performs HTTPS requests without certificate validation and suppresses related warnings, while giving no user-facing indication that connection authenticity is no longer assured. In a news-ingestion pipeline, this can silently corrupt the integrity of collected content and make poisoned summaries appear legitimate.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: This module sends article titles and content snippets to an external LLM service, but there is no visible consent, warning, or policy check in the code path before exfiltrating scraped content. Even if the content is 'just news,' feeds can include licensed, embargoed, or otherwise sensitive material, and the configured endpoint may be third-party or user-controlled.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal