Simple news feed reader (RSS)

Security checks across malware telemetry and agentic risk

Overview

The RSS news reader code looks straightforward, but the package includes unrelated local permission settings that could let an agent stage and commit repository changes.

Review or remove .claude/settings.local.json before installing. The news script itself fetches public RSS feeds without credentials, but a news skill should not need pre-approved git add or git commit access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill explicitly states it uses HTTP to fetch external RSS feeds, which is a network capability, yet no corresponding permission is declared in the metadata. Undeclared network access weakens transparency and policy enforcement, making it easier for a skill to exfiltrate data or reach unintended external services without clear review boundaries.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill requests broad local execution capabilities including arbitrary Python via Bash and git write operations, which are not necessary for simply fetching RSS headlines. In the context of a news feed skill, these permissions materially expand the attack surface and could be abused to run local code, modify repository state, or stage unwanted changes if the skill or its content is compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal