Security audit

Today News Task

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed news-fetching helper with expected outbound web requests, but users should keep it limited to trusted public news or search pages.

Install only if you are comfortable with the agent making outbound requests to public news or search pages and seeing raw page HTML. Keep URLs limited to trusted public sources, and review the separate today-task skill before using the optional push feature.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill instructs the agent to execute a local Python helper that performs network fetching, but the skill metadata declares no corresponding permissions or constraints. This creates a capability mismatch that can hide external network access from users or policy enforcement, making it easier for the skill to fetch unexpected resources or bypass safer built-in fetch controls.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose is limited to aggregating news, but the instructions direct the agent to run `python fetch_url.py <URL>` on arbitrary user-supplied URLs and even fall back to search-result pages. A skill that can retrieve any URL under the guise of a narrow news task materially expands its attack surface and can be repurposed for unintended network access, content retrieval, or policy bypass.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script accepts an arbitrary URL from the command line and fetches it without any allowlist or validation, which gives it generic network retrieval capability beyond the stated news-aggregation purpose. In an agent/skill context, this can be repurposed for unauthorized outbound requests, internal endpoint access, or retrieval of untrusted content, making the capability materially broader than advertised.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The implemented behavior is a raw fetch-and-print utility, not a bounded news collection and summarization workflow as described in the manifest. This mismatch increases risk because consumers may trust the skill as a narrow news tool while it actually exposes a general-purpose content retrieval primitive that can be abused in broader ways.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The code performs outbound network requests to user-supplied destinations without any warning, consent flow, or disclosure of what data is being contacted. While not inherently an exploit by itself, this weakens transparency and can conceal unexpected communication with external or sensitive endpoints in a skill environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal