daily-every

Security checks across malware telemetry and agentic risk

Overview

This skill creates a small daily Shanghai weather and V2EX hot-post briefing and sends it to Telegram, with the network behavior disclosed and no hidden code found.

Install this only if you are comfortable with the agent contacting wttr.in and V2EX and sending the generated brief to a Telegram destination. Verify the bot token and chat destination yourself, and keep the cron trigger disabled unless you want automatic daily delivery.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill specifies pushing the generated briefing to Telegram, which is an outbound transmission to a third-party service, but it does not mention user consent, destination validation, or any data-handling safeguards. Even though the current content appears low sensitivity, silent exfiltration patterns are risky in agent skills because future changes could include personal or contextual data and users may not expect external delivery.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal