Security audit

Daily Briefing

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it has review-worthy risks from unsafe shell command construction and a scheduled email example that could send briefings to an unintended outside recipient.

Review before installing. Use only the default or trusted city values until the weather fetch is changed to a safer HTTP call, and do not copy the cron email example unless you replace the recipient with your own and intentionally approve recurring external delivery.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The README instructs a scheduled daily-briefing workflow to import an external email-sender skill and send the generated briefing to a hard-coded third-party email address. That extends the skill from local briefing generation into outbound data exfiltration/automation without being part of the stated purpose, increasing the risk of unintended disclosure and abuse in automated environments.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code imports child_process.execSync and builds a shell command using the city parameter: `curl -s 'wttr.in/${city}?format=j1'`. Because the input is interpolated directly into a shell string, a crafted city value containing quotes or shell metacharacters can break out of the quoted argument and trigger arbitrary command execution. In a data-collection skill, this makes the issue more dangerous because the function appears utility-oriented and may later be reused with untrusted input from agents, users, or scheduled jobs.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documented cron payload sends generated content to an external recipient without any warning that briefing contents will leave the local environment. In an agent or scheduled execution context, this can cause silent transmission of generated summaries, potentially including sensitive contextual data if the briefing output is later expanded or combined with other sources.

Unpinned Dependencies

Low

Category: Supply Chain
Content: "test": "node scripts/test-all.mjs" }, "dependencies": { "cheerio": "^1.2.0" }, "keywords": ["daily", "briefing", "weather", "news", "beijing"], "author": "Kimi Claw",
Confidence: 88% confidence
Finding: "cheerio": "^1.2.0"

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal