Back to skill

Security audit

科技日报

Security checks across malware telemetry and agentic risk

Overview

This is mostly a coherent daily tech-news skill, but it needs review because it can run automatically, send reports to Feishu, and has unsafe filename handling that can write outside intended folders.

Install only if you want a scheduled news bot that fetches public sources, writes local reports, and may post generated content to Feishu. Configure your own webhook, remove or review the hard-coded user_id, keep cron disabled until you intentionally enable it, and fix filename validation for TODAY and briefing themes before allowing untrusted or arbitrary inputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Tainted flow: 'OUTPUT_FILE' from os.getenv (line 15, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
}
    
    # 保存
    with open(OUTPUT_FILE, "w", encoding="utf-8") as f:
        json.dump(report, f, ensure_ascii=False, indent=2)
    
    print(f"\n✅ 日报已保存: {OUTPUT_FILE}")
Confidence
90% confidence
Finding
with open(OUTPUT_FILE, "w", encoding="utf-8") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares no permissions even though its documented behavior clearly requires network access, environment-variable access, and local file read/write. This creates a transparency and consent problem: a user or platform may approve the skill without understanding that it can contact external services, read configuration/history, and persist data locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose and the actual behavior diverge in several security-relevant ways: the skill can send data to Feishu, reads local state/configuration, and appears to claim data sources and processing steps that are not actually implemented. Misrepresentation of capabilities is dangerous because it defeats informed review and can hide external exfiltration paths or unexpected automation under a benign 'news aggregation' description.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The README states the skill will push aggregated news to Feishu, while the described scope is only to generate a structured brief. This mismatch is security-relevant because it expands the effective data flow and action surface to include external delivery, which can surprise users and reviewers and enable unintended outbound transmission.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The generated briefing materially diverges from the skill's stated AI/Cloud/ML filtering scope by featuring unrelated or policy-sensitive repositories. This is dangerous because downstream users may trust the skill's output as scoped, curated, and safe for that domain, leading to misinformation, accidental promotion of irrelevant or risky content, and policy/compliance issues.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The footer claims that all sources were verified, but the file only shows GitHub API sourcing and does not evidence verification of the listed content. This creates a false assurance signal that can cause users to over-trust the briefing, especially when it includes controversial or potentially unsafe links, increasing the risk of acting on unvetted information.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The statement that all sources were verified is misleading because the report content shows off-scope and weakly curated items, which can cause users to over-trust the briefing. In a news aggregation skill, false verification claims increase the risk of users acting on unvetted links or assuming unsafe content has been screened.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The config hard-codes push delivery to a specific user account without disclosing that behavior in the skill description. In an aggregation skill, this creates a covert data-flow/output redirection risk: generated content, usage-triggered summaries, or future enriched data could be silently sent to an unintended recipient.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A fixed delivery target unrelated to the stated purpose of 'daily tech news aggregation' is highly suspicious because it routes output to a predetermined account regardless of who invokes the skill. This enables unauthorized disclosure of generated reports and potentially any embedded metadata or future collected content to a third party.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The generated report states that all sources have been verified even though the code performs no verification and only uses a single upstream API. This creates a false trust signal that can cause users or downstream agents to treat unverified content as vetted, increasing the risk of misinformation propagation and unsafe decision-making.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill transmits generated report content to an external Feishu webhook, but the manifest description presents the skill as a news aggregation tool and does not disclose outbound delivery behavior. Undisclosed exfiltration-capable behavior is risky because operators may supply local report files or enriched content assuming processing is local, while the code can silently forward that data to a third-party endpoint.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code reads an external webhook from the environment and posts the full rendered report to Feishu, which expands the skill from aggregation into external distribution. In the context of a skill described primarily as collecting and summarizing tech news, this undisclosed network-send capability increases the risk of unintended data disclosure, especially if future report content includes internal prompts, metadata, or non-public sources.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README describes automatic aggregation and pushing content to Feishu without any visible warning or consent flow for network transmission and external delivery. In this context, scheduled execution at 08:00 makes the issue more dangerous because data can be sent automatically and repeatedly without a fresh user action or awareness.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manual trigger phrase '生成日报' is generic enough to appear in ordinary conversation, making accidental activation plausible. In this skill's context, unintended activation could start network fetching, local file updates, issue-counter changes, and optional Feishu pushes without the user intending to run the automation.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list contains broad phrases like 'tech news', '每日资讯', and '科技资讯', which can overlap with normal user requests for information rather than an instruction to execute the skill. Because this skill performs automated collection, local persistence, and optional outbound webhook delivery, ambiguous activation increases the risk of unintended side effects.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.