Daily Intel Report

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed daily news and procurement digest that fetches public sources and optionally pushes a report, with no evidence of hidden data access, credential theft, or destructive behavior.

Install only if you want a scheduled or manually triggered Chinese daily digest. Confirm any cron schedule, Feishu DM target, and SMTP settings before enabling delivery, and treat fetched web content as untrusted source material.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill clearly relies on network-capable operations (`web_fetch` and external news/government sources) but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: reviewers, runtimes, or users may not realize the skill can access remote content and potentially exfiltrate data or ingest adversarial web content.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases include broad, everyday expressions such as `早报`, `AI新闻`, `招标信息`, and `今日推送`, which can cause accidental invocation in unrelated conversations. Mis-triggering a skill that performs network collection and outbound delivery can lead to unintended data retrieval, noisy automation, or unauthorized message sending.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal