RSS Aggregator

Security checks across malware telemetry and agentic risk

Overview

This RSS skill does what it claims: it fetches feed items and can send selected article summaries to destinations the user configures.

Install only if you are comfortable with scheduled feed fetching and with sending selected feed titles, links, summaries, and source URLs to services you configure, such as Discord, Notion, or a webhook. Avoid using private or internal feeds unless those destinations are approved for that data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The recipes explicitly route feed content and article metadata to third-party destinations such as Discord, webhooks, and Notion, but they do not warn users that fetched data will leave the local environment. Even if RSS items are often public, feeds can include tracked URLs, private/internal feeds, or user-selected sources, so silent exfiltration to external services creates a real privacy and data-governance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal