Daily News Short

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Revid automation guide for generating daily news videos, with optional scheduling and publishing steps users should control carefully.

Install only if you trust Revid with the API key and with any connected social accounts. Use the render/status flow first, review generated news videos for accuracy and brand fit, and enable scheduled public posting only with deliberate account scoping and a human approval step.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill includes shell-based automation examples (`crontab`, `daily-news.sh`, `curl`, `jq`) but declares only a config requirement and no permission/capability boundary for shell execution. This mismatch can cause reviewers or hosting systems to underestimate what the skill enables, especially in environments where shell-capable skills are subject to additional scrutiny or controls.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly recommends automatically posting the resulting `videoUrl` to social accounts and references `publish-now`, but it does not include an explicit warning that this causes external publication on connected accounts. In an automation context, that increases the risk of unintended public posting of inaccurate, off-topic, or harmful AI-generated news content.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal