Back to skill

Security audit

Daily Ai News Skill Litiao

Security checks across malware telemetry and agentic risk

Overview

This AI news briefing skill uses disclosed web search and article fetching for its stated purpose, with no evidence of hidden, destructive, or privileged behavior.

Install if you want an agent to gather public AI news through web/search tools. Use a Tavily API key you are comfortable spending quota on, verify the referenced Tavily helper before relying on it, and double-check important news claims against the linked original sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation criteria are broad enough to match common, everyday requests like wanting to know 'what's happening in AI,' which can cause the skill to trigger unexpectedly. Because this skill performs external web searches and fetches third-party content, unintended activation can lead to unnecessary outbound requests, privacy surprises for users, and tool use beyond what the user clearly intended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description says it aggregates and summarizes news, but it does not clearly warn users that it will perform external web searches and fetch content from multiple third-party sites. This reduces informed consent and transparency, making it more likely that users unknowingly trigger network access, expose query content to external providers, or receive content from untrusted sources without realizing it.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.