Back to skill

Security audit

Dailytech

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed daily tech-news briefing skill with optional scheduled push delivery, and the reviewed files do not show hidden data access, credential use, exfiltration, or destructive behavior.

Install if you want a daily AI/tech briefing and optional morning/evening push notifications. Before enabling push, confirm the target userId, channel, timezone, and times; use the documented off command to disable it when no longer wanted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest frames the skill as generating a daily visual tech card, but the later documentation introduces user-specific push-notification management commands. That discrepancy can hide stateful behavior from reviewers and users, increasing the chance that recurring delivery features are enabled without clear informed consent or security review of notification workflows.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Multi-channel push subscription management is broader than what is necessary to generate a news briefing artifact. Extra capabilities like channel targeting and recurring delivery increase the attack surface for spam, unauthorized messaging, and mishandling of user configuration data, especially when no access-control or consent model is described.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The instructions describe enabling recurring push delivery but do not include an explicit warning that this creates ongoing notifications on external channels. Missing notice and consent language can lead to unwanted persistent messaging, user annoyance, and compliance issues around subscription-like behavior.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.