Back to skill

Security audit

Daily Ai News

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward AI news briefing helper that browses public news sources and does not request local data, credentials, persistence, or mutation authority.

Install this if you want an agent to fetch and summarize current AI news from public sources. Be aware it may activate for broad AI update requests and will browse external pages; fetched articles should be treated as untrusted source material and summarized or cited, not followed as instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The metadata description says the skill activates for broad requests like 'AI updates' or 'latest AI developments', which can match ordinary conversation and cause the skill to trigger when the user did not explicitly ask for a news briefing. Over-broad activation increases unintended tool use and web access, which can lead to irrelevant retrieval, privacy exposure from unnecessary searches, or response hijacking by a skill when another capability would be more appropriate.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The 'When to Use This Skill' section includes vague triggers like 'wanting to know what's happening in AI' and 'AI industry news, trends, or breakthroughs', which lack clear invocation boundaries. In context, this skill performs external fetching and search, so accidental activation is more dangerous than a purely local formatting skill because it may initiate unnecessary browsing and shape the conversation around retrieved content rather than the user's actual request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.