Is cctv-news-fetcher safe?

https://clawhub.ai/yuhangch/cctv-news-fetcher

74
CAUTION

This skill is a web scraper for CCTV News Broadcast (Xinwen Lianbo) that fetches and parses Chinese state media content. While not overtly malicious, it introduces a remote content pipeline with several moderate risks: unbounded URL following from parsed HTML (potential SSRF), second-order prompt injection through unvalidated news content fed to the agent, and hardcoded tracking cookies in outbound requests. The sensitive file access during installation (.aws/credentials, .env) appears to be platform-level behavior rather than skill-initiated, but warrants attention.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 70/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (9)

MEDIUM Shell command execution with user-controlled input -10

SKILL.md instructs the agent to execute bun {baseDir}/scripts/news_crawler.js <YYYYMMDD> where the date parameter originates from user input. While the expected format is purely numeric, SKILL.md does not enforce strict validation. A careful agent should sanitize, but the instruction creates a code execution surface.

MEDIUM Outbound HTTP requests to external domains with spoofed headers -15

The crawler script makes HTTP requests to cctv.cntv.cn and tv.cctv.com with hardcoded Cookie headers and a spoofed User-Agent string. While these are legitimate news domains, the hardcoded cookie is unusual and the script follows URLs extracted from HTML content without validation.

MEDIUM Unbounded URL following from parsed HTML -20

The script extracts URLs from fetched HTML pages and follows them without any domain validation or allowlist. A compromised or modified CCTV page could inject arbitrary URLs, leading to SSRF or fetching of malicious content.

MEDIUM Remote content pipeline enables second-order prompt injection -20

News content fetched from CCTV is returned as JSON and summarized by the agent. If the upstream HTML contains crafted text (e.g., instructions disguised as news titles), the agent could interpret them as directives when processing the output.

LOW Sensitive file access during installation -15

Filesystem monitoring detected reads of .env, .aws/credentials, and auth-profiles.json during the install phase. These appear to be OpenClaw platform behavior rather than skill-initiated, but the .aws/credentials access during a skill install is noteworthy.

LOW Hardcoded tracking cookie in request headers -10

All three fetch functions include an identical hardcoded cookie value that appears to be an Alibaba/Taobao tracking cookie (cna). This could be used to track or correlate audit requests, or could be a remnant from the author's development environment.

LOW Agent instructed to calculate dates from natural language -10

SKILL.md tells the agent to interpret 'yesterday' or 'today' and calculate dates. While minor, this expands the attack surface for prompt manipulation via date-like instructions.

INFO No malicious npm scripts or git hooks 0

package.json contains no preinstall, postinstall, or other lifecycle scripts. No git hooks, submodules, or symlinks detected. The dependency tree (node-html-parser and its sub-dependencies) consists of well-known packages.

INFO All honeypot files intact 0

No canary files were accessed or modified during the audit, indicating no active credential harvesting behavior.