Security audit

daily-tech-digest

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it automatically modifies an Obsidian vault and runs broad Git sync commands that can push unrelated private notes without a clear per-run confirmation.

Review before installing. Run it first on a copy of your Obsidian vault, change the hard-coded paths, and disable or narrow the Git sync unless you truly want the entire vault pulled, staged, committed, and pushed automatically. Also confirm that the today-task and daily-tech-broadcast dependencies are trusted, and avoid enabling the cron jobs until the overwrite/delete behavior is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and operationalizes shell execution, network access, and file read/write behavior, but does not declare any permissions or safety boundaries. In this context, the skill writes into an Obsidian vault, fetches remote content, and sets cron jobs that execute local Python scripts, so the missing permission declaration weakens user awareness and policy enforcement around sensitive capabilities.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script deletes the original daily digest after generating derivative notes and an index, which is a destructive action beyond a normal 'organize/split' expectation. If parsing is incomplete, links are wrong, or later recovery is needed, the canonical source content is lost without confirmation or backup.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Automatic `git pull/commit/push` gives the organizer repository synchronization capability that is not necessary for merely parsing and storing notes. In this skill context, that broadens the blast radius: unrelated vault changes may be staged and pushed to a remote without the user's informed consent.

Context-Inappropriate Capability

Low

Confidence: 82% confidence
Finding: The script invokes another skill's script to push content to a device surface, creating a cross-skill execution path and data egress channel outside the stated organizer role. While not inherently malicious, this expands trust boundaries and can expose generated content to external presentation layers without clear user approval.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The module docstring describes a benign organizer that reads, splits, and stores notes, but the implementation also deletes the source digest, performs Git synchronization, and pushes to another skill. That mismatch is dangerous because users and reviewers may grant broader trust than the disclosed behavior warrants.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: This skill performs `git pull`, `add .`, `commit`, and `push` over the entire Obsidian vault, which far exceeds the minimally necessary action of writing one digest file. If triggered unexpectedly, it can publish unrelated private notes, synchronize sensitive content to remotes, and alter repository history without the user's informed approval.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The code modifies `sys.path` and imports another skill's internal module at runtime, creating an implicit trust boundary bypass between skills. If that sibling skill is modified, compromised, or behaves unexpectedly, this skill will execute its code with the same privileges, increasing supply-chain and lateral-impact risk.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger phrases are broad everyday requests such as '科技热点' and '新闻简报', which can cause the skill to activate unintentionally in response to generic user queries. Because the skill can launch scripts, access the network, write files, and potentially push content to a device, accidental invocation expands the chance of undesired actions and data modification.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script deletes preexisting note files and matching duplicates before rewriting them, with no confirmation, backup, or integrity check. This can silently destroy user edits or previously generated content if titles collide, parsing changes, or a malformed digest produces incorrect filenames.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The original daily digest is unconditionally deleted once the index is written, without any user confirmation or rollback path. In a note-management skill, that is a significant destructive action because parser bugs, partial extraction, or later audit needs can leave the user with irreversible data loss.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill writes a Markdown file directly into the user's Obsidian vault without any explicit prompt or disclosure at execution time. In an agent skill context, silent writes to personal knowledge stores are security-relevant because they can overwrite, clutter, or smuggle untrusted content into a trusted workspace.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Automatically pulling, staging, committing, and pushing the user's vault without explicit warning is dangerous because it changes local state and may exfiltrate unrelated personal notes to a remote repository. In this skill's context, generating a daily digest does not require broad repository synchronization, so the capability is excessive and high risk.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill sends generated content to an external device/service ('负一屏') via another script without clear user-facing disclosure or consent. Even if the content is derived from public news, it may include metadata, workflow timing, or future extensions that expose user habits, and the hidden outbound transfer expands the privacy attack surface.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.