Noticias Cangrejo

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it fetches GNews results for a user topic and formats a Markdown news digest, with only ordinary API-key and optional file-save risks.

Before installing, be comfortable sharing searched topics with GNews and using your GNews API key for requests. Use --output only with an intended file path, preferably a new file in the working directory, because it overwrites existing files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill clearly requires environment access, makes outbound network requests to GNews, and can write files via `--output`, yet the metadata does not declare corresponding permissions. Undeclared capabilities weaken user consent and policy enforcement because a caller may not realize the skill can transmit prompts externally or persist data locally.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The documentation instructs the agent to send the user-provided topic to an external API and optionally save generated output to a file, but it does not warn about either behavior. This creates a transparency and privacy issue: users may unknowingly disclose sensitive interests or leave artifacts on disk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal