HN Daily Brief

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: fetch public Hacker News content, generate a daily brief, and optionally save or schedule the report.

Install this if you want an agent to fetch public HN stories and linked articles, generate a daily brief, and optionally write report files locally. Review the outputDir, persist setting, and reminderTime before enabling recurring scheduled runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill instructs the agent to read and write files and fetch network data, but no explicit permissions are declared. This creates a capability/visibility gap: reviewers and runtime policy may underestimate what the skill can access, while the skill persists outputs to a user-controlled directory and updates index files.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The skill description presents a simple report-generation workflow, but the body adds additional behaviors such as validation logic, persistence requirements, scheduling/retry orchestration, and index mutation. This mismatch can conceal operational side effects from users and reviewers, increasing the chance of unintended file changes, duplicate scheduled jobs, or unsafe deployment under the wrong trust assumptions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal