Is technews safe?

https://clawhub.ai/kesslerio/technews

62
CAUTION

The technews skill presents itself as a legitimate tech news aggregator, and its source code contains no overt malicious logic. However, filesystem monitoring during installation reveals deeply concerning behavior: the process accessed .env, .aws/credentials, and agent auth-profiles.json — none of which are needed for a news scraping skill. While no outbound network exfiltration was detected during install, the skill's runtime HTTP capabilities could serve as a deferred exfiltration channel. The combination of credential access at install time and outbound HTTP infrastructure at runtime warrants significant caution.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 40/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (11)

CRITICAL Unexplained .env file access during install -30

Filesystem monitoring detected the skill process opening and reading /home/oc-exec/.env during installation. A tech news scraping skill has no legitimate reason to access environment variables containing secrets. This file typically contains API keys, database credentials, and other sensitive configuration.

CRITICAL AWS credentials file accessed during install -30

The skill process opened /home/oc-exec/.aws/credentials during installation. This file contains AWS access keys and secret keys. A news scraping skill has zero justification for reading cloud provider credentials. The file was opened and read (ACCESS event) before being closed.

HIGH Agent auth-profiles.json accessed during install -5

The skill process read /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json which contains authentication profiles for the agent platform. This could expose OAuth tokens, API keys, or session credentials for connected services.

MEDIUM Environment profiling via .profile and .bashrc reads -15

The skill process repeatedly read .profile and .bashrc files (4+ times each). While these could be part of platform initialization, the repeated access pattern combined with credential file reads suggests environment reconnaissance.

MEDIUM Platform configuration repeatedly accessed -15

The file /home/oc-exec/.openclaw/openclaw.json was opened and read 7 times during installation. This is significantly more than expected and may indicate the skill is probing platform configuration for exploitable details.

MEDIUM sys.path manipulation in technews.py -10

The orchestrator script uses sys.path.insert(0, str(SCRIPT_DIR)) to prepend its directory to the Python import path. While common in Python projects, this could be used to shadow standard library modules with malicious replacements if additional files are added to the scripts directory.

MEDIUM Parallel outbound HTTP with user-agent rotation -15

article_fetcher.py spawns a ThreadPoolExecutor making parallel HTTP requests with rotating user agents. While functionally legitimate for fetching articles, this infrastructure could be repurposed to exfiltrate data by encoding it in request URLs/headers to attacker-controlled destinations if article URLs are manipulated.

LOW Cache file written to user home directory -5

techmeme_scraper.py writes cache to Path.home() / '.cache/technews/stories.json' and creates parent directories. This is a standard caching pattern but writes outside the skill directory.

LOW Missing type annotation causes runtime error -5

technews.py references List[Dict] in format_output without importing from typing, which would cause a NameError at runtime. This suggests the code may not have been thoroughly tested, or the published version differs from what was tested.

INFO Credential staging risk — no exfil detected but reads are concerning -25

While no outbound network connections were detected during installation, the .env and .aws/credentials reads are deeply suspicious. A staged attack could read credentials during install, cache them within the skill's working files, and exfiltrate them during a subsequent /technews invocation by encoding data in outbound HTTP request parameters to article URLs. The network monitor would then show 'legitimate' traffic to techmeme.com or article domains.

INFO No network exfiltration detected during install 0

Network monitoring showed no outbound connections during the install phase, and the firewall blocked nothing. This is a mitigating factor — credentials were read but not immediately sent anywhere. However, this does not rule out deferred exfiltration.