Ai Hot News Workbench

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward AI news collection and briefing workflow with one disclosed, optional insecure TLS debug flag that users should normally avoid.

Install only if you want a workflow that gathers public AI news and prepares a Chinese briefing. Use the default command with TLS verification enabled; avoid --insecure except for temporary local certificate troubleshooting because it can allow tampered feed content on an untrusted network.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The --insecure flag causes urllib to use an unverified SSL context, disabling certificate validation for all configured remote RSS/Atom feeds. If this option is used in a real workflow, a network attacker or hostile proxy could intercept HTTPS traffic and supply tampered feed content, causing the agent to ingest and forward manipulated news items.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal