Skills
skills/kirkluokun/awesome-a-stock-openclawskills/cctv-news-fetcher/Gen Agent Trust Hub

cctv-news-fetcher

Fail

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [CREDENTIALS_UNSAFE]: The script at scripts/news_crawler.js includes a hardcoded cna tracking cookie header. Hardcoding session or tracking tokens in source code is a poor security practice that can lead to credential exposure or unauthorized user tracking.
  • [COMMAND_EXECUTION]: The instructions in SKILL.md direct the agent to execute the shell command bun {baseDir}/scripts/news_crawler.js <YYYYMMDD>, where the <YYYYMMDD> parameter is directly controlled by user input. This pattern presents a high risk of command injection if the agent does not strictly validate the input, allowing an attacker to execute arbitrary system commands by appending shell metacharacters to the date string.
  • [EXTERNAL_DOWNLOADS]: The skill fetches data from official CCTV domains (cctv.cntv.cn and tv.cctv.com). This is a legitimate part of the skill's news-fetching functionality and targets well-known official sources.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 10, 2026, 03:26 AM