ClawHub

ai-research-podcast

Security checks across malware telemetry and agentic risk

Overview

This skill’s document-to-audio purpose is plausible, but it also defines recurring network fetching and Feishu delivery while overstating that the workflow is offline and privacy-safe.

Install only if you are comfortable with the skill fetching URLs, generating summaries/audio, and optionally sending outputs through Feishu, WeChat, or email. Treat the offline claim as applying at most to local TTS after models are installed, not to the full workflow. Keep push_to disabled for sensitive documents, and do not enable scheduled Feishu delivery unless you can review the destination, credentials, logs, and how to turn it off.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill claims 'offline mode, no network required' while also supporting remote URL fetching and first-run model downloads. This can mislead users into providing sensitive documents under a false privacy assumption, causing unintended data exposure over the network.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented behavior expands from converting a user-provided article into audio to autonomously fetching new papers and proactively delivering them on a schedule. This broadening of scope increases the chance of unintended background network activity and data transmission beyond what the user originally requested.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Including recurring scheduled-task setup introduces persistent autonomous execution that is not necessary for the core function of converting a specific report to audio. Persistent automation can repeatedly access external sources and messaging channels, magnifying privacy, abuse, and resource-consumption risks if enabled without strong controls.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill's stated purpose is converting a user-provided report/article into audio, but it also supports pushing the generated audio to external channels like Feishu, WeChat, and email. That expands the data flow beyond local conversion and can exfiltrate potentially sensitive report content or derived summaries without sufficiently explicit user consent or scope limitation.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The scheduled trigger automatically fetches content from an external source every day, which exceeds the described manual, on-demand conversion workflow. This creates unattended network activity and content processing that could surprise users, ingest untrusted content, and generate/push outputs without a fresh user request.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The documented trigger phrases are broad, natural-language requests that are likely to overlap with normal conversation, increasing the chance of unintended invocation. In this skill, accidental activation can cause downstream actions such as fetching remote content, generating files, and optionally pushing messages, so the ambiguity is security-relevant rather than merely a UX issue.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes scheduled retrieval of external content and automatic delivery to Feishu/WeChat/email, but does not clearly warn that the skill will perform recurring network access and proactive outbound messaging. That omission can mislead users about the skill's behavior and permission scope, creating risk of unexpected data transfer, spammy behavior, or privacy-impacting automation once configured.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Overly broad trigger phrases can cause the skill to activate on ordinary conversation and process content or initiate networked actions unexpectedly. In a skill that may fetch URLs, synthesize files, and send messages, accidental activation materially increases the risk of unintended data handling.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger section lacks boundaries and negative examples, so the agent may invoke the skill in ambiguous contexts where the user did not intend file processing, URL retrieval, or message delivery. Given the skill's ability to access sources and push outputs externally, ambiguity raises the chance of privacy-impacting misfires.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow fetches remote URLs and can send generated audio to Feishu or WeChat without clear user-facing warnings about network transmission or third-party data disclosure. This is dangerous because users may submit sensitive reports or documents believing processing is local, while the skill may transfer derived or source data across network boundaries.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The scheduled trigger runs daily against an external source with little contextual scoping, making automatic invocation broader than necessary for the declared use case. Broad unattended triggers increase the chance of unexpected data ingestion, resource consumption, and downstream delivery actions occurring without active user awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal