Simple RSS news feed

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public news RSS headlines from fixed sources and does not show hidden data access, persistence, credential use, or destructive behavior.

Install if you want an agent to fetch public RSS headlines. Be aware that running it contacts external news providers, including rsshub.app for the AP feed, and returned headlines/descriptions are untrusted external content that should be treated as news text, not instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger phrases are broad everyday requests such as asking for latest news or a morning briefing, which can cause the skill to activate in many common contexts. Overbroad activation increases the chance of unintended tool use and automatic outbound HTTP requests to third-party sources without the user realizing a networked skill was invoked.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The markdown description says the skill uses HTTP and fetches live feeds, but it does not present a clear user-facing warning that execution sends requests to external news providers. This weakens informed consent and can surprise users in privacy-sensitive or restricted-network environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal