Security audit

Karpathy Curated RSS Brief

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public RSS and article content to create a Chinese newsletter, and its network and local file activity is disclosed and aligned with that purpose.

Install only if you are comfortable with the skill making outbound requests to a hosted OPML file, many public RSS feeds, and selected article pages, and with uv resolving Python dependencies at runtime. Run it from a directory where creating a dated markdown newsletter file is acceptable; review or pin the OPML source first if you require a fixed, auditable feed list.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill directs the agent to access external network resources, including a third-party OPML URL and article pages, but the skill metadata does not declare any permissions or make that network behavior explicit. This creates a transparency and consent problem: users and policy layers may not realize that invoking the skill causes outbound requests to untrusted destinations and content ingestion from arbitrary feeds.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The documented purpose says the skill generates a Karpathy-curated Chinese newsletter, but the workflow actually relies on a third-party GitHub Pages OPML file and a feed-fetching script that emits raw JSON before additional processing. That mismatch weakens user trust and reviewability, because the actual data source and behavior are broader and less controlled than the description suggests.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The README describes fetching many RSS feeds and reading selected articles in full, but it does not clearly warn users that the skill performs broad outbound network access to numerous third-party domains. This can surprise users, leak metadata such as IP/user-agent/request timing to external sites, and increase exposure to untrusted content during normal use.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases include broad, ordinary terms such as '生成日报', '今日资讯', and '每日简报', which can match common user requests that are not clearly asking for this specific skill. Overbroad triggers increase the chance of accidental activation, causing unintended network access, web fetching, and file creation without clear user intent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to write a markdown file into the current working directory and then run a validation command on it, but it provides no user-facing warning or confirmation step before modifying the filesystem. In shared or sensitive workspaces, this can lead to unintended file creation, clutter, or writing into repositories and directories the user did not intend to modify.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal