Podcast Discovery

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward podcast lookup helper that fetches public podcast feeds and builds Wherever.Audio links, with a real but bounded URL-fetching hardening gap.

Use this skill for public podcast discovery. Avoid giving it arbitrary internal or private URLs, and in sensitive environments pin and review its Python dependencies or add URL validation before exposing the helper to untrusted inputs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The script performs outbound network requests to an arbitrary user-supplied --rss-url via urlopen without restricting destinations or warning the caller. In an agent/skill context, this can be abused for SSRF-style access to internal services, unexpected egress to attacker-controlled hosts, or privacy leaks through network metadata and User-Agent disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal