Security audit

news-aggregator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward news aggregation helper that uses a declared SkillBoss API key and does not show hidden code, local data access, persistence, or destructive behavior.

Install only if you are comfortable sending news queries and returned snippets to SkillBoss. Use a scoped or revocable API key where possible, and avoid entering private, confidential, or regulated topics unless that provider is approved for your use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill explicitly sends collected search results to an external chat endpoint for summarization, but it does not disclose this secondary data transfer, obtain user consent, or describe privacy implications. Even if the content is 'just search results,' queries and returned snippets can contain sensitive user interests, internal topics, or regulated data, making undisclosed onward transmission a real privacy and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.