Back to skill

Security audit

Daily Briefing

Security checks across malware telemetry and agentic risk

Overview

This daily briefing skill has a coherent purpose, but it appears to centralize highly sensitive personal data and a mailbox password into a predictable temporary file.

Review this skill carefully before installing. It appears intended to generate useful daily summaries, but you should not use it unless you are comfortable with it accessing email, contacts, calendar, reminders, and birthdays, and you should avoid storing mailbox passwords in plain JSON config. Prefer a version that uses a private per-user storage path, deletes generated data promptly, avoids placing secrets in output files, and sanitizes shell command inputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly directs the agent to execute shell commands (`bash` runner and `curl`) while declaring no explicit permissions. That creates a capability/permission mismatch that can bypass user expectations and any permission-based policy controls, especially for a user-invocable skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose understates the actual data exposure and processing: the skill collects contacts, calendar, reminders, mailbox content, and references an iCloud mail password field in config. This mismatch is dangerous because users may authorize a benign-sounding briefing skill without realizing it processes broad personal data and sensitive credentials-adjacent configuration.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script enumerates the user's full contacts dataset when emails are enabled, even though the stated purpose is generating a daily briefing. This is over-collection of sensitive personal data and expands exposure if the output file, logs, or downstream agent are compromised. In this skill context, broad contact harvesting is more dangerous because the briefing only needs a minimal subset of contact information relevant to surfaced emails, not the entire address book.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill performs semantic analysis over mailbox data and may surface message metadata/content without a clear privacy warning in the top-level description. Handling email in a user-invocable skill materially increases sensitivity because mailbox contents often include financial, personal, and security-related information, and users may not realize that from the summary alone.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script aggregates highly sensitive personal data—calendar events, reminders, birthdays, email metadata, and contacts—and writes it to predictable files under /tmp. /tmp is a shared, transient location inappropriate for personal briefing data, and the canonical filename makes discovery easier for other local processes; the lack of user-facing disclosure further increases privacy risk. In a daily-briefing skill, this is especially risky because the collected data spans multiple private domains and is centralized into one file.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script reads an iCloud mail password from user configuration, which is a sensitive credential, without any visible disclosure, validation of secure storage, or use of a platform secret store. Storing or retrieving passwords from a plain configuration file increases the chance of credential compromise through file disclosure, backups, or accidental exposure. In this skill, credential handling is more dangerous because it enables access to a private mailbox beyond the immediate briefing task.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.