Security audit

Daily Geopolitical TikTok Reporter

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public geopolitical RSS news and writes local TikTok script drafts, with no evidence of hidden data access, credential use, or unsafe persistence.

Use this in a virtual environment, expect outbound requests to public news RSS feeds when generating reports, and review every script before posting. For geopolitical or conflict news, verify claims against primary or trusted sources and tone down sensational language where needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The description and invocation scope are broad enough to overlap with normal content-generation requests about current events, making accidental or unintended invocation more likely. That can cause the wrong skill to activate in contexts involving sensitive geopolitical topics, increasing the chance of misleading outputs, policy bypass through over-broad routing, or inappropriate source handling.

Vague Triggers

Low

Confidence: 95% confidence
Finding: The basic usage example uses a very generic phrase—'Generate today's geopolitical TikTok scripts'—without constraints, qualification, or exclusions. Generic activation phrases broaden matching surface area and can cause accidental invocation during ordinary requests for summaries or social-media copy, especially in a domain involving time-sensitive and potentially controversial geopolitical content.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This generator produces polished, persuasive geopolitical scripts and publishing tips but does not include any warning, uncertainty framing, or verification requirement for claims drawn from input stories. In a fast-moving geopolitics/news context, that increases the risk of spreading misinformation, outdated claims, or propaganda in a format optimized for virality and audience persuasion.

Missing User Warnings

Medium

Confidence: 72% confidence
Finding: The script performs network news collection automatically via GeoNewsGatherer.fetch_all_sources() without any explicit notice, consent, or source transparency at runtime. While outbound fetching is expected for a news-based skill, silent network access can surprise users in restricted or privacy-sensitive environments and may transmit identifying metadata such as IP address or user-agent to third-party sources.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal