Miniflux News

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Miniflux RSS helper that uses a token and can change read status only through disclosed, confirmation-gated commands.

Install only if you trust this skill with your Miniflux API token. Use HTTPS, prefer the narrowest token Miniflux supports, protect the config file, and treat mark-read or mark-read-category as account-changing actions to run only after checking the target IDs or category.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill invokes shell commands, reads environment variables and local files, writes a credential config file, and makes network requests, yet it declares no permissions. This creates a trust and review gap: an orchestrator or user may treat it as read-only/news-fetching while it can access secrets, persist data, and modify remote state through the bundled script.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The stated purpose focuses on fetching and summarizing unread items, but the documented behavior also includes writing credentials, enumerating categories, and marking entries as read, including bulk category operations. This mismatch is dangerous because agents or users may invoke the skill expecting passive read-only behavior when it can perform persistent local writes and destructive remote state changes that alter a user's feed state.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill description frames the capability as fetching, listing, and summarizing unread entries, but the script also exposes state-changing commands that mark individual entries or whole categories as read. In an agent setting, this broader authority is dangerous because the tool can silently alter user data and workflow state beyond the advertised read-only use case, increasing the chance of unintended destructive actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal