今日话题解读器

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward hot-topic and news briefing helper that fetches public trend data and searches the web, with no evidence of hidden persistence, credential access, or destructive behavior.

Install this if you want an agent to fetch public hot-search and news information from third-party services for summaries. Avoid using it with sensitive personal, confidential, or private topics unless you are comfortable with those search terms being sent to external web services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill’s trigger scope is very broad, covering generic requests like '今天有什么大事' and '热点解读', which can cause the agent to invoke this skill for ordinary current-events conversations without clear user intent. Because the skill performs external fetching and multi-step search/fetch behavior, over-broad routing increases the chance of unexpected network access, privacy surprises, and model overreach.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to fetch data from third-party hot-search endpoints and then perform additional web search/fetch operations, but it does not warn users that external network access will occur. This can mislead users about where information is coming from and creates transparency and privacy risks, especially if user-provided topics are sent to external services.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal