Back to skill

Security audit

tech-news-digest

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent tech-news digest tool, but users should understand that it fetches many external sources, can use configured credentials, archives reports, and can deliver digests to third-party channels.

Before installing, review any configured sources, tokens, GitHub App key path, delivery recipients, and schedule. Use least-privilege API credentials, avoid enabling gh CLI fallback if you do not want the skill to use your local GitHub session, and confirm that archived digest cleanup and external delivery match your expectations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly documents capabilities to read environment variables, access files, make network requests, and invoke shell-adjacent tooling, yet it does not declare an explicit permission model. This creates a trust gap: installers may underestimate the effective authority of the skill, especially because it can fetch remote content, write archives/tmp files, and deliver output via external channels.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The security notes claim no files outside the workspace are accessed, but the documented GitHub App flow reads a PEM key from `GH_APP_KEY_FILE`, which may point anywhere on disk. Misstating file-access boundaries is dangerous because users may grant trust based on inaccurate assumptions and expose sensitive key material outside the advertised scope.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The network-access section says no data is sent to endpoints beyond the listed APIs, but the enrichment step explicitly fetches article URLs from arbitrary domains. This undermines the stated egress boundary and increases risk of unexpected requests to attacker-controlled or untrusted sites, including tracking, malicious content delivery, or internal-network exposure if URL validation is insufficient.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script does more than passive data collection: it reads a private key, mints a GitHub App JWT via `openssl`, exchanges it for an installation token, and also falls back to harvesting credentials from the local `gh` CLI. In an agent skill context, this expands privileges and may cause the skill to access credentials the operator did not intend to expose to a news-digest workflow.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promises that a bot will handle installation, configuration, scheduling, and delivery through conversation, but it does not warn users that this can cause system changes and outbound posting to external services. In an agent/skill ecosystem, that omission can lead users to authorize actions they do not fully understand, increasing the risk of unintended automation, data disclosure, or spam-like posting.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The usage examples encourage sending digests to Discord and Telegram without any privacy or data-sharing notice. Because digest content may include user-supplied sources, search-derived content, or organization-specific topics, this can result in accidental transmission of sensitive or internal information to third-party platforms.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README instructs users to configure multiple third-party API credentials and describes automated outbound delivery, but provides no privacy or data-flow warning. In a skill that aggregates content and pushes reports to external channels, this omission can cause users to unknowingly transmit prompts, source selections, report contents, metadata, or tokens to external services, increasing privacy, compliance, and accidental data-exposure risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The prompt instructs deletion of files older than 90 days in a workspace archive path without requiring confirmation, preview, or explicit warning to the operator. In an agent context, destructive file operations can remove historical records unexpectedly, especially if the workspace path is misconfigured or shared, leading to data loss and reduced auditability.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The email delivery flow can transmit the full digest and attachments to an external recipient without any user-facing privacy or exfiltration warning. Because the digest is assembled from workspace configuration, archive context, and fetched content, this creates a realistic risk of sending sensitive or unintended information outside the local environment.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The template explicitly instructs the agent to send output to a Discord channel or DM using environment-provided identifiers, but it provides no requirement to notify or confirm with the user before delivering content to that destination. In an agent setting, this can cause unintended external disclosure or misdelivery of generated content, especially if the target ID is preconfigured or attacker-influenced.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The template explicitly instructs agents to send generated HTML content through Gmail, which transmits potentially sensitive, unreviewed digest content to an external third-party service. In an agent setting, this can cause unintended data exfiltration or distribution of unsanitized content, especially because the guidance gives a concrete command path but no warning, approval gate, or content-sensitivity checks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.