IndustryInformation

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but its API-key handling could expose a user’s FEEDAX credential.

Review before installing. Do not paste a real FEEDAX API key into chat, do not run commands that print your whole .env file, and avoid using this skill unless you are comfortable sending queries and credentials to the configured FEEDAX endpoint. Prefer a scoped, rotatable key in an environment variable, use --no-output for sensitive searches, and rotate any key that may have been sent over plain HTTP.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: These instructions direct the agent to inspect local configuration files and, if missing, ask the user to send an API key so the agent can 'remember' it. For a news-querying skill, collecting or retaining credentials in conversation is broader than necessary and creates a direct credential-exfiltration and retention risk.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The execution flow mandates shell commands such as cat, grep, and python3 invocation even though the skill’s functional goal is only to retrieve industry information. Requiring shell execution expands the attack surface, increases the chance of unsafe command construction from user input, and grants broader system interaction than the skill needs.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill claims to provide industry information analysis, but it also persists full results locally to CSV and Markdown by default. Silent local persistence increases privacy and data-retention risk, especially if results contain licensed content, sensitive search topics, or are stored in shared workspaces.

Intent-Code Divergence

Low

Confidence: 78% confidence
Finding: The document is internally inconsistent: it says the API key should already be configured, yet elsewhere instructs the agent to ask the user for the key so it can remember it. This inconsistency can lead operators or the agent toward insecure credential-handling behavior and normalizes disclosure of secrets in conversation.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The README states the skill is based on the FEEDAX API and even lists the remote endpoint, but it does not prominently warn that user-provided industry keywords and related query parameters are transmitted to an external service. This creates a privacy and data-handling transparency issue: users may enter sensitive research topics, customer names, or internal watchlist terms without realizing those inputs leave the local/system boundary.

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The README documents that CSV and Markdown files are generated by default, but does not clearly warn that retrieved articles, summaries, URLs, and analysis results will be written to local storage unless disabled. This can lead to inadvertent retention of potentially sensitive search results or licensed content on shared machines, CI runners, or monitored workspaces.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill automatically saves full query results to local CSV/MD files without explicit user notice or consent at execution time. That creates unnecessary persistence of potentially sensitive or proprietary data and may violate user expectations or data-handling policies.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Telling the user to provide their API key so the agent can 'remember' it is a direct credential collection pattern with no safety guardrails. Secrets shared in natural language may be logged, retained, exposed to downstream tools, or reused outside the user’s intent.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script sends the API key to a hardcoded HTTP endpoint, and also places it in the query string and headers. Because the transport is unencrypted, any network observer or intermediary can capture the credential and the returned data, leading to credential compromise and unauthorized API use.

Ssd 3

High

Confidence: 99% confidence
Finding: This instruction explicitly encourages the assistant to solicit and retain a user credential in natural language. In the context of a simple industry-news skill, that behavior is especially unjustified and materially increases the risk of credential theft, accidental retention, and later disclosure.

Ssd 3

High

Confidence: 99% confidence
Finding: The execution flow repeats the same credential-disclosure pattern, reinforcing that users should hand secrets to the assistant for memory. Repetition makes the unsafe behavior operationally likely, not incidental, and raises the chance that real credentials will be exposed in logs or model context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal