Walter Info

Security checks across malware telemetry and agentic risk

Overview

This is mostly a weather and e-commerce news reporting skill, but it includes unrelated local file deletion and disables HTTPS verification for news fetching.

Install only if you are comfortable running local Python that fetches public websites and writes report files. Before use, remove or ignore cleanup.py and check_files.py, fix the news fetchers to keep normal HTTPS certificate verification enabled, and treat generated llm_input article text as untrusted content for summarization.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation describes executing Python scripts that fetch remote data, read local configuration, and write output files, yet it declares no permissions. This creates a transparency and sandboxing problem: users and the platform cannot accurately reason about the skill's real capabilities, especially since it uses network, file read/write, and shell-style execution paths.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The static finding indicates behavior outside the stated purpose: scanning local files, checking for config.example.json, and deleting config.example.json are unrelated to fetching weather/news and generating reports. Undisclosed local file enumeration and deletion materially increase risk because they can expose environment details or destroy files under the guise of a benign information tool.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script deletes a local file inside the skill directory even though the skill's stated purpose is weather/news reporting, so the behavior is unnecessary and risky. Any undeclared file-deletion capability expands the skill's side effects and can remove configuration or example artifacts that users may rely on for setup, auditing, or recovery.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This code performs local file deletion without any user prompt, safety check, or clear connection to the advertised functionality of generating weather and cross-border e-commerce reports. In agent environments, unjustified filesystem write/delete actions are dangerous because they create hidden destructive behavior and could be adapted to remove useful files or interfere with operation.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The helper used for outbound HTTPS requests explicitly disables certificate validation and hostname verification, which allows a man-in-the-middle attacker to intercept or modify supposedly secure traffic. In this skill, that means fetched news content can be silently tampered with, poisoning the generated JSON/Markdown outputs and any downstream automation that trusts them.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The site-specific ennews fetch path also disables HTTPS certificate and hostname checks, so content retrieved from that source is not authenticated. Because this script scrapes untrusted external HTML and converts it into reports, a network attacker could inject misleading or malicious content into outputs without needing to compromise the source site itself.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The cifnews fetcher repeats the same TLS-bypass pattern, making article retrieval vulnerable to interception and response manipulation. In the context of a reporting skill, this undermines integrity rather than system compromise directly, but it can still enable disinformation, bad business decisions, and tainted artifacts consumed by later tools or users.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger description is broad enough to activate on common requests involving weather, news, or report generation. Over-broad triggering can cause the skill to run in contexts the user did not intend, leading to unnecessary network access, file generation, or execution of local scripts.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The code explicitly disables TLS certificate validation by setting check_hostname=False and verify_mode=ssl.CERT_NONE before fetching article content. This allows man-in-the-middle interception or content tampering, which is especially relevant because fetched text is later written into files and prepared as LLM input, making downstream summaries and reports untrustworthy.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal