Morning Brief

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public RSS headlines for a morning news brief and does not show credential access, persistence, destructive behavior, or hidden data handling.

Install this only if you want a news brief that may translate headlines into Chinese and preserve clickable source links. Before running it, expect network requests to the listed public feeds and fix the documented dependencies to install httpx and feedparser.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill description is broad enough to match common requests like general daily briefings or world news, which can cause the skill to activate in situations the user did not clearly intend. Over-broad triggering increases the chance that embedded behavioral instructions in the skill, such as forced formatting or language changes, override normal assistant behavior and produce unexpected output.

Natural-Language Policy Violations

High

Confidence: 97% confidence
Finding: The skill unconditionally instructs the agent to translate all headlines into Chinese and write the brief in that language, regardless of user preference. This creates an unauthorized behavioral override that can conflict with the user's requested language, reduce transparency, and be used to reshape or obscure source content in a way the user did not ask for.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal