ClawHub

AI Daily Intelligence Digest

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates RSS collection, AI summarization, and publishing to a configured Feishu Wiki, but users should review destinations and content before enabling scheduled runs.

Install only if automatic posting to your Feishu Wiki is acceptable. Use least-privilege Feishu credentials, confirm the target Wiki space and parent node, run it manually first, review generated summaries for accuracy and sensitivity, and enable the daily cron only after validating the output and destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly presents automatic publication into a shared Feishu Wiki but does not warn users that running the skill will create or update shared knowledge-base content visible to others. In a multi-user workspace, this can cause unintended publication of inaccurate, sensitive, or unreviewed summaries to a team knowledge base, especially because the content is AI-generated and aggregated from external sources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README recommends unattended cron-based execution of a workflow that fetches external content, summarizes it with AI, and publishes it automatically, but it does not warn about ongoing automated writes to a shared system. This increases the chance of repeated unauthorized or erroneous updates, spammy page creation, propagation of prompt-injected or misleading source content, and silent misuse of Feishu credentials over time.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly performs an external side effect: it publishes AI-generated content to a Feishu Wiki using configured credentials, but the documentation does not prominently warn the user before execution. This can lead to unintended disclosure, reputational harm, or unwanted writes to a production knowledge base, especially if users treat the skill as a passive summarization tool rather than a publisher.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented cron setup enables unattended daily posting to Feishu Wiki, but there is no explicit warning that this creates recurring autonomous writes to an external collaboration system. In context, automation increases risk because bad summaries, prompt-injected content from feeds, or misconfiguration can be repeatedly published without human review.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal