Back to skill

Security audit

HackerNews Extract

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it fetches a Hacker News post and linked article, then saves the combined article and comments as Markdown.

Install this only where outbound web requests and uv-managed Python dependency downloads are acceptable. When used, it may contact Hacker News/Algolia and third-party article sites, and it will create and upload a generated Markdown extraction file as part of its normal workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill clearly instructs the agent to execute a Python script that reads input, performs external network fetches to HackerNews and linked articles, and writes output to a filesystem path, yet the skill metadata does not declare corresponding permissions. Undeclared capabilities are dangerous because they hide the true trust boundary from the user or host system, reducing transparency and potentially bypassing policy review for network access and file I/O.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill description explains functionality but does not prominently warn that it will fetch remote content based on user-provided HackerNews IDs/URLs and then fetch the linked article itself. This matters because external HTTP requests can disclose usage patterns, contact untrusted servers, and retrieve potentially sensitive or malicious content into the agent workflow without explicit user awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.