news-search

Security checks across malware telemetry and agentic risk

Overview

This skill searches public news sites as advertised, but it uses browser automation with a stealth plugin and sends search terms to those sites.

Install only if you are comfortable with automated browser searches against third-party news/search sites. Search keywords will be sent to the selected providers, and the stealth plugin plus no-sandbox browser launch are best run in a constrained environment if you need stronger isolation or strict terms-of-service compliance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill explicitly loads and uses a stealth anti-bot plugin to disguise browser automation and bypass scraping defenses on third-party news sites. For a news aggregation skill, this is not necessary for core functionality and increases legal, operational, and abuse risk by enabling covert collection from sites that may intentionally restrict automated access.

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The skill automates access to multiple third-party news/search websites using a headless browser, but the user-facing description does not clearly warn that external sites will be contacted and queried on the user's behalf. This can mislead users about network activity, privacy exposure of search terms, and potential policy or rate-limit implications, especially because the skill also advertises stealth/anti-bot capabilities.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The manifest explicitly includes `puppeteer-extra-plugin-stealth`, a package designed to disguise automated browser behavior and evade bot-detection mechanisms. In a news-search skill, this materially increases abuse potential because it enables scraping and interaction with third-party news/search sites in a less transparent way, without any visible user opt-in, policy controls, or justification in this file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal