RSS News Aggregator

Security checks across malware telemetry and agentic risk

Overview

This RSS aggregator does what it claims: it fetches user-chosen or built-in RSS feeds, filters articles, and generates reports without hidden persistence or credential access.

Install this in a normal Python virtual environment and only add RSS feeds you intend to contact. Treat fetched feed content and links as untrusted, and use pinned dependencies or a lockfile if you need reproducible or enterprise-controlled installs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (4)

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill clearly performs outbound network access by fetching RSS and article content from external sources, but the documentation does not warn users that using it will contact third-party endpoints. This can create privacy, egress-control, and trust-boundary issues, especially in restricted environments where external requests must be explicitly disclosed and approved.

Unpinned Dependencies

Low

Category: Supply Chain
Content: feedparser>=6.0.0 requests>=2.31.0 html2text>=2024.2.26
Confidence: 97% confidence
Finding: feedparser>=6.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: feedparser>=6.0.0 requests>=2.31.0 html2text>=2024.2.26
Confidence: 97% confidence
Finding: requests>=2.31.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: feedparser>=6.0.0 requests>=2.31.0 html2text>=2024.2.26
Confidence: 95% confidence
Finding: html2text>=2024.2.26

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal