Content News Thai

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it creates Thai news-style social images, with disclosed setup, network, and file-output behavior that users should run deliberately.

Install only if you are comfortable with a setup script that installs system/npm dependencies and downloads fonts. Run it in a project or container you trust, use safe output paths such as a workspace or /tmp image file, and only pass trusted background-image URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill instructs the agent to run shell commands (`bash` and `node`) but does not declare any permissions or constraints around shell execution. This creates a real security gap because the agent may invoke local scripts with filesystem and network side effects without an explicit trust boundary, review step, or least-privilege declaration.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script accepts a caller-controlled bgImage value and, when it starts with http, fetches and decodes a remote image. That expands a nominally local image-generation skill into a network-capable one, enabling server-side request forgery to internal services, unexpected outbound requests, and processing of untrusted remote content.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The output path is fully caller-controlled and is passed directly to writeFileSync, allowing writes outside the intended workspace. In an agent setting, this can overwrite arbitrary files accessible to the process, tamper with application state, or drop files in sensitive locations.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: An arbitrary filesystem write primitive is not necessary for a content image generator and materially increases risk. Because the skill runs with the agent's filesystem permissions, an attacker can use the output parameter to write or overwrite files anywhere the process can access, potentially leading to persistence, data corruption, or chained compromise.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough to match generic requests like "make content" or "news image," which can cause the skill to activate unexpectedly outside a narrow user intent. Over-broad routing increases the chance of unintended shell/script execution and can hijack unrelated content-generation requests into this skill's workflow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal