Daily Ai News

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AI news digest tool with optional channel posting, but scheduled sends should be configured carefully.

Install this if you want a public AI-news digest. Review any separate Tavily/Brave integration before adding API keys. If you enable --send or cron, use a fixed, verified destination channel instead of relying on the last-contacted channel.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill declares required tools and binaries but does not clearly declare the effective security-sensitive capabilities implied by its behavior, namely network access and shell/subprocess execution. That creates a transparency and least-privilege problem: users may invoke a seemingly simple news skill without realizing it can reach external services and run commands, which increases the risk of misuse or unexpected side effects.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is passive news aggregation, but the behavior reportedly includes sending messages to external channels via subprocess when run with --send. That mismatch is dangerous because users may authorize or schedule the skill expecting read-only retrieval, while it can also perform outbound actions; the additional discrepancy around claimed but unimplemented search support further undermines trust and auditability.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The skill description emphasizes aggregation and fetching news, but the code also supports transmitting the compiled digest to an external OpenClaw channel. That hidden or under-disclosed exfiltration/output capability expands the trust boundary and could be abused to relay unreviewed external content or sensitive contextual data if this skill is invoked in a broader agent workflow.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: Invoking a local messaging subprocess introduces an action capability beyond passive news retrieval. In agent environments, extra local execution and outbound messaging paths are security-relevant because they can be chained with other data sources to move content outside the original context without sufficient review.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README instructs users to configure a cron job that automatically sends output to the "last" contacted channel every day, but it does not prominently warn that this can result in unsolicited posting to whatever conversation was most recently active. In an agent/chat environment, this creates a real risk of unintended disclosure, spam, or sending content into the wrong private or group context if channel state changes between setup and execution.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: Overly broad trigger phrases such as generic requests about AI news or tech news increase the chance of accidental invocation during normal conversation. In a skill that can perform network access and potentially send messages on a schedule or via flags, accidental activation expands exposure and can lead to unintended data retrieval or actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal