Daily Hot Push

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only daily news helper that openly fetches public hot-list pages and can send a user-configured summary to Feishu.

Safe to install as a news-summary helper. Before enabling the cron example, confirm the Feishu recipient and schedule are correct, and make sure you know how to remove the cron job if you no longer want daily messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manual trigger phrases are generic conversational requests like '查看今天的热搜' and '给我10条最重要的新闻', which can easily overlap with ordinary user intent and cause the skill to activate unexpectedly. In a skill that fetches external content and may push results to Feishu, unintended invocation can lead to unanticipated outbound actions or disclosure of retrieved content to external channels.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises automatic Feishu delivery and scheduled pushes without clearly warning that content will be fetched from external websites and transmitted to a third-party messaging platform. This weakens informed consent and can cause users to enable recurring outbound data flows without understanding what is sent, when it is sent, or which external services are involved.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal