Back to skill

Security audit

Miniflux News

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Miniflux RSS helper that uses a local API token and only changes read status through documented confirmation-gated commands.

Install only if you trust this skill with access to your Miniflux account. Use HTTPS, keep the token private, prefer the narrowest token Miniflux supports, and treat mark-read or mark-read-category as account-changing actions to run only after checking the target entries or category.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes a bundled script that can read environment variables, read and write local files, make network requests, and execute via shell commands, yet those capabilities are not declared in the skill metadata. This creates a transparency and consent problem: operators may authorize a seemingly simple read-only news skill without realizing it can persist credentials locally and perform state-changing actions against the Miniflux API.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description presents the skill primarily as a fetch/triage and summarization tool, but the documented behavior also includes writing credentials to disk, listing categories, and marking entries as read individually or in bulk. This mismatch is dangerous because users and orchestrators may treat the skill as read-only when it can modify remote state and local configuration, increasing the risk of unintended destructive or privacy-impacting actions.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The script exposes write operations (`mark-read`, `mark-read-category`) even though the skill description presents it as a fetch/triage tool. This capability mismatch can lead an agent or user to invoke state-changing actions they did not expect, causing silent modification of unread-state in the Miniflux account.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The module documentation emphasizes read-only examples while omitting examples of the state-changing `mark-read` operations, which understates the tool's effective scope. In an agent setting, incomplete documentation increases the chance of unsafe automation decisions because the tool appears less capable than it really is.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill instructs users to place an API token in a config file or environment variables but does not include guidance on protecting the token, limiting its scope, or avoiding accidental disclosure in logs, prompts, or command history. While this is not an exploit by itself, weak credential-handling guidance increases the chance of token leakage and unauthorized access to the user's Miniflux data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.