Back to skill

Security audit

科技日报

Security checks across malware telemetry and agentic risk

Overview

This looks like a tech-news digest skill, but its claimed source coverage and verification do not match the code or bundled outputs, and it includes external delivery and scheduled execution paths.

Review before installing. Use it only if you are comfortable with scheduled public-news fetching, local report/state files, and optional Feishu delivery. Configure any webhook yourself, remove or replace the hard-coded push target, disable cron unless you want daily runs, and treat generated briefings as unverified until the source and filtering logic is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Tainted flow: 'OUTPUT_FILE' from os.getenv (line 15, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
}
    
    # 保存
    with open(OUTPUT_FILE, "w", encoding="utf-8") as f:
        json.dump(report, f, ensure_ascii=False, indent=2)
    
    print(f"\n✅ 日报已保存: {OUTPUT_FILE}")
Confidence
84% confidence
Finding
with open(OUTPUT_FILE, "w", encoding="utf-8") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions, yet its specification clearly requires network access, environment variable access, and local file read/write for config, state, and output handling. This creates a transparency and governance problem: users or the hosting platform cannot accurately assess what the skill is allowed to do, increasing the chance of unexpected data access or external communications.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The description emphasizes news aggregation, but the skill also performs outbound Feishu webhook delivery, local state management, and persistent file generation. That mismatch can mislead reviewers and users about the operational footprint, causing them to approve a skill that has broader data handling and communication behavior than expected.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README states the skill will push the generated digest to Feishu, which is a broader capability than a simple local briefing generator and creates an outbound data-delivery path. Scope expansion like this matters because it can transmit generated content to third-party services without the user clearly understanding that message delivery is part of the skill's behavior.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The generated briefing does not align with the skill’s stated behavior: it claims to aggregate GitHub Trending, 51CTO, and Baidu tech hot-search content filtered to AI/Cloud/ML, but the visible output is almost entirely generic GitHub repository listings, including unrelated projects. This creates integrity and trust risks because users may act on inaccurate summaries or believe source and topic constraints were enforced when they were not.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The statement that 'all sources were verified' is contradicted by the attribution showing only GitHub API as the data source, while the skill description promises additional sources. Even if not directly enabling code execution or data exfiltration, this is a deceptive assurance that can mislead users into overtrusting the accuracy and validation status of the content.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The briefing claims it filters for AI/Cloud/ML content, but the highlighted items include unrelated or risky categories such as proxy lists and DNS-tunneling censorship-bypass tools. This breaks the skill's stated trust boundary and can surface dual-use or abuse-enabling content to users under a misleading 'curated tech news' label, increasing the chance of unsafe or out-of-scope recommendations.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The footer asserts a broad set of sources that do not match the skill's declared aggregation scope or the visible content, creating provenance ambiguity. In a news-aggregation skill, inaccurate source attribution can mislead users about where claims came from and makes fabricated or unverified items harder to detect.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The briefing includes content beyond the manifest-described sources and topic boundaries, indicating the generator may be inventing, over-broadly scraping, or mixing in unapproved material. This weakens trust guarantees and can propagate false market, financing, or product claims under the appearance of an authorized daily digest.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill is configured to push collected output directly to a specific user ID, creating a hard-coded delivery path that bypasses user choice and can enable unauthorized or undisclosed data routing. Even though this skill appears to aggregate public news, the same mechanism could be repurposed to silently send summaries, prompts, metadata, or future sensitive content to a fixed recipient.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill metadata promises aggregation from GitHub Trending, 51CTO, and Baidu hot search with AI/Cloud/ML filtering, but the implementation only pulls a generic GitHub repository search and builds the entire briefing from that single dataset. This is dangerous because it misrepresents provenance and coverage, causing users or downstream agents to trust an incomplete and potentially irrelevant briefing as if it were multi-source validated tech news.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The generated markdown asserts '所有来源均已核验' even though the code only performs a single API request and does no authenticity, reputation, integrity, or cross-source verification. This creates a false assurance signal that can mislead users into treating unverified content as vetted, which is especially risky in a news aggregation skill intended to influence decisions or summaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation describes automatic aggregation, summarization, and pushing results to Feishu, but does not warn users about continuous outbound network access or external message transmission. In an agent skill, undisclosed network access and auto-delivery can surprise users, leak sensitive derived content, or cause unintended distribution to external recipients.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manual trigger phrases such as '生成日报' and '推送科技资讯' are generic enough to collide with ordinary user requests, which could cause the skill to run unexpectedly. In a skill with network access, file writes, and outbound webhook support, accidental invocation increases the chance of unintended scraping, state changes, or message delivery.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.