News Brief - 新闻简报

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-aligned news aggregation skill, with a minor routing concern around broad trigger wording but no evidence of hidden or malicious behavior.

Install only if you want a skill that may fetch news from the web and run its supporting local scripts when news aggregation is requested. Be specific when invoking it, and review any destination or output settings before using it with private or sensitive information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The trigger description uses broad natural-language examples like requesting today's headlines or portal news aggregation, which can overlap with ordinary user requests and cause the skill to activate unexpectedly. In this skill's context, mistaken activation matters because it can launch local scripts and perform external fetches, turning an invocation-quality problem into a security and privacy concern.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal