News Curator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed scheduled news-briefing workflow that fetches public news and posts formatted summaries to Telegram.

Install this only if you want an agent to run on a schedule and send generated news briefings to Telegram automatically. Before enabling it, confirm which Telegram chat or channel receives the posts and whether you want manual review before recurring delivery.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill description presents the capability as simple news curation but does not clearly disclose that it performs scheduled autonomous actions and sends content to Telegram, an external third-party service. This can mislead users or operators about data flow and behavior, reducing informed consent and increasing the risk of unintended outbound sharing.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documented flow combines live web fetching with automatic Telegram delivery but provides no explicit warning about privacy, third-party transmission, or the risks of forwarding externally sourced/generated content. In context, the autonomous cron-triggered delivery makes this more dangerous because messages may be sent repeatedly without human verification, potentially exposing sensitive context or causing reputational harm from inaccurate or unwanted content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal