Security audit

local hacker news index page, markdown news frontend

Security checks across malware telemetry and agentic risk

Overview

This is a simple local Markdown-to-HTML news page converter with no evidence of hidden network, credential, persistence, or destructive behavior.

Install this if you want a local Python tool that converts Markdown news snapshots into an HTML page. Use a deliberate output path to avoid overwriting files, and only open or share generated HTML from Markdown sources you trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger condition "用户说『生成新闻网页』『hnews』时使用" is broad and underspecified, so the skill may activate for generic requests that merely mention making a news page or the token "hnews." Over-broad activation can cause unintended routing, tool execution, or content transformation in contexts the user did not explicitly intend, which is a prompt-scope security issue even though the skill itself appears otherwise low risk.

Natural-Language Policy Violations

Medium

Confidence: 78% confidence
Finding: The skill title and description are written in Chinese and present the capability as "Markdown → 科技新闻网页," which implies a Chinese-language presentation without stating that output language should follow user preference. This can cause undesired language coercion or user-experience manipulation, though in this context it is more of a scope/usability security concern than a direct exploit path.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal