Back to skill

Security audit

AI Daily News

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its AI-news reporting purpose, but it should be reviewed because it can silently install a package and includes an overbroad browser command helper.

Review before installing. Use a virtual environment or other isolation, preinstall dependencies from reviewed requirements instead of allowing runtime pip installs, use a limited Feishu webhook, keep config.json out of source control/backups, and enable scheduled runs only after confirming exactly what content will be sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""
    try:
        full_cmd = f"agent-browser {command}"
        result = subprocess.run(
            full_cmd,
            shell=True,
            capture_output=True,
Confidence
98% confidence
Finding
result = subprocess.run( full_cmd, shell=True, capture_output=True, text=True, timeout=timeout )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import yt_dlp
        except ImportError:
            logger.warning("yt-dlp 未安装,尝试使用pip安装...")
            subprocess.check_call(['pip', 'install', '-q', 'yt-dlp'])
            import yt_dlp
        
        channel_url = f"https://www.youtube.com/{creator_config.get('handle', '')}/videos"
Confidence
95% confidence
Finding
subprocess.check_call(['pip', 'install', '-q', 'yt-dlp'])

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities that read and write local files, execute shell commands, and access external networks, but it does not declare permissions or otherwise warn users about that privilege scope. This is dangerous because users and host systems may grant or assume trust without understanding that the skill can install dependencies, scrape websites, generate reports, and exfiltrate data over the network.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The fallback helper is generic and permits arbitrary agent-browser subcommands plus arbitrary JavaScript through js_extractor, which exceeds the narrow purpose of collecting news items. If any caller can influence extraction_rules or command content, this becomes a powerful execution primitive for browser actions and page-script execution against arbitrary sites.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This finding is valid because the collector exceeds its stated purpose by modifying the host environment and fetching executable package content at runtime. In an automation skill that may run unattended on servers or agents, this increases risk from dependency confusion, malicious package updates, and operational drift across executions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description emphasizes automated news collection and reporting but does not clearly warn that collected content is transmitted to Feishu via webhook/chat configuration. This omission is risky because users may not realize that external sharing occurs, potentially causing unintended disclosure of scraped content, internal notes, or misconfigured data included in generated reports.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script collects Feishu credentials and writes them directly to a local config.json file in plaintext without warning the user or setting restrictive file permissions. This increases the risk of credential disclosure through accidental commits, backup leakage, shared workstations, or overly permissive filesystem access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic package installation without user approval is risky in an agent skill because it silently changes the system state and may execute package installer code without operator awareness. The unattended nature of a scheduled news collector makes this more dangerous, since the behavior could recur in production and conceal unexpected network access or environment mutation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.