Is news-aggregator-skill safe?

https://clawhub.ai/cclank/news-aggregator-skill

62
CAUTION

This news aggregator skill is functionally legitimate but exhibits concerning behavioral patterns. It aggressively overrides agent autonomy through forceful directives (mandatory keyword expansion, forced Chinese language output, automatic file writing), and its deep-fetch mode creates an arbitrary URL fetcher that processes untrusted HTML content — a vector for second-order prompt injection. No active malice was detected (canaries intact, no exfiltration, no install hooks), but the combination of broad network access, agent behavior manipulation, and uncontrolled content ingestion warrants caution.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 65/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (12)

HIGH Aggressive agent behavior override directives -25

SKILL.md uses 'CRITICAL' and 'You MUST' directives to force the agent to automatically expand user keywords, override language preferences to Simplified Chinese, and write files without explicit user consent. These directives override user autonomy and train the agent to follow skill instructions over user preferences.

HIGH Executable Python script with arbitrary URL fetching -30

The skill includes fetch_news.py which the agent is instructed to execute via shell. In --deep mode, it fetches and parses HTML from any URL returned by 8 news sources, using a 10-thread pool. This creates an arbitrary URL fetcher that processes untrusted HTML content.

HIGH Second-order prompt injection via deep-fetched content -35

When --deep mode is used, article content from external websites is fetched and passed to the agent for summarization. A malicious or compromised news source could embed prompt injection payloads in article text that the agent would then process, potentially leading to unintended actions.

MEDIUM Indirect prompt loading from templates.md -10

The skill instructs the agent to read and display contents of templates.md when triggered by a specific phrase. If templates.md were modified post-install (or in a future version), it could contain prompt injection payloads that the agent would execute.

MEDIUM Automatic file writing without user consent -10

The skill mandates the agent always save reports to a 'reports/' directory with timestamped filenames. This automatic filesystem modification happens without asking the user, and the agent is trained to do this by default for every interaction.

MEDIUM Outbound connections to 8+ external domains -20

The Python script connects to 8 different news/social media APIs and websites. While these are legitimate news sources, they represent a broad network footprint. The deep fetch mode further expands this to any URL linked from these sources.

MEDIUM Browser User-Agent spoofing -10

The script uses a fake Chrome User-Agent header to bypass bot detection on target websites. While common in scraping, this is deceptive and could cause the user's IP to be flagged or banned by these services.

MEDIUM PyPI dependency supply chain risk -20

requirements.txt specifies unpinned dependencies (requests, beautifulsoup4). Without version pinning, a compromised PyPI package could be installed. The skill instructs pip install -r requirements.txt.

LOW Sensitive file reads during install (likely runtime artifacts) -35

Filesystem monitoring detected reads of .env, .aws/credentials, auth-profiles.json, and SSH host keys during the install phase. These appear to be from the OpenClaw agent runtime bootstrapping rather than the skill itself, but the skill was present in the environment when these reads occurred.

LOW Scope expansion beyond user intent -20

The 'Smart Fill' directive forces the agent to expand search scope beyond what the user requested when results are sparse, and the keyword expansion directive transforms simple queries into broad multi-keyword searches. This trains the agent to act beyond user intent.

INFO No install hooks, git hooks, submodules, or symlinks 0

The skill contains no package.json install scripts, no .githooks directory, no .gitmodules, no .gitattributes filters, and no symlinks. The code execution surface is limited to the explicitly invoked Python script.

INFO All canary files intact 0

No honeypot files (.env, SSH keys, AWS credentials planted as canaries) were modified or exfiltrated during the audit.