Dataify Bing News

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Bing News API helper that discloses its external API use and requires preview confirmation before live calls.

Install only if you intend to use Dataify for Bing News searches. Prefer setting DATAIFY_API_TOKEN or using --token instead of placing credentials in natural-language prompts, and review the preview table before approving a live API call.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code extracts an API token from free-form natural-language prompt text via extract_token(args.prompt), which can cause secrets embedded in conversational input to be silently harvested and then used for outbound requests. This is dangerous because prompts often contain mixed content from users or upstream agents, and parsing credentials from that channel increases the chance of accidental secret disclosure or misuse without explicit confirmation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The runtime flow sends user-supplied search parameters and an Authorization header to an external service without any explicit disclosure or confirmation at execution time. In an agent context, that matters because users may not realize their prompt content and token are being transmitted off-platform to a third-party API.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal