Is news-summary safe?

https://clawhub.ai/joargp/news-summary

72
CAUTION

The news-summary skill is a straightforward RSS news aggregation tool with no prompt injection or malicious intent detected. However, it presents moderate risk through embedded bash commands that direct the agent to execute curl pipelines against external feeds, reference the user's OpenAI API key, and write files to /tmp. These patterns, while individually benign, normalize agent behaviors that could be exploited by malicious companion skills or feed content manipulation.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH Embedded bash commands for shell execution -35

The skill contains 7 distinct bash code blocks with curl, grep, sed, and head commands. While framed as documentation, LLM agents typically interpret code blocks in SKILL.md as executable instructions. The sed/grep pipeline processes untrusted XML from external feeds without sanitization, creating a potential command injection vector if feed content is malicious.

MEDIUM OpenAI API key exposed in curl command -30

The skill includes a curl command that uses $OPENAI_API_KEY in an Authorization header. This instructs the agent to read and use the user's API key. While the destination (api.openai.com) is legitimate, this establishes a pattern where skills can direct the agent to send credentials to external endpoints.

MEDIUM Agent directed to fetch from multiple external domains -15

The skill directs the agent to make HTTP requests to 4 different external domains (BBC, Reuters, NPR, Al Jazeera). While legitimate news sources, this normalizes the agent fetching arbitrary external content, expanding the attack surface.

MEDIUM File write to /tmp directory -15

The TTS workflow writes output to /tmp/news.mp3, demonstrating the skill can direct the agent to write files to paths outside the skill directory.

MEDIUM Normalizes shell-based network fetching pattern -30

Repeated use of curl in bash blocks conditions the agent to treat network-fetching shell commands as routine, lowering the barrier for other skills or injected prompts to exploit this pattern.

LOW Combination risk with other skills -15

A malicious companion skill could modify environment variables or alias curl to redirect requests, turning this skill's legitimate fetches into data exfiltration channels.

INFO Clean install with expected runtime filesystem activity -10

All filesystem events during install are attributable to the OpenClaw agent runtime bootstrap (config reads, jiti cache creation). No skill-initiated filesystem activity detected.

INFO Clean frontmatter and instructions -10

The SKILL.md frontmatter and body contain no hidden instructions, unicode tricks, or attempts to override agent behavior. The skill description accurately reflects its functionality.