Back to skill

Security audit

Morning Brief · 每日AI早报

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed automated AI news briefing script that fetches public/feed content, uses an LLM to rank it, and sends the brief to Telegram.

Install only if you want an automated brief that contacts RSS/tool services, an LLM API, and Telegram. Keep API and Telegram tokens in environment variables or a secret store, verify API_HUB_BASE_URL points to a trusted HTTPS provider, avoid private or regulated feeds unless you trust the LLM and Telegram paths, and run it manually once before enabling the daily schedule.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tainted flow: 'req' from os.environ.get (line 288, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
},
            method="POST"
        )
        resp = urllib.request.urlopen(req, timeout=60)
        result = json.loads(resp.read())
        text = result["content"][0]["text"].strip()
Confidence
93% confidence
Finding
resp = urllib.request.urlopen(req, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities that access environment variables, local files, network resources, and shell execution, but it does not declare corresponding permissions. This creates a mismatch between what the skill can do and what reviewers or runtime policy may expect, increasing the chance of over-privileged or opaque behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description is broad and operationally open-ended, covering daily news gathering, filtering, and pushing results without clear trigger boundaries. In an agent environment, vague invocation criteria can cause the skill to run unexpectedly, collect more data than intended, or perform outbound actions when the user did not explicitly request them.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation states that collected and LLM-processed content will be pushed to Telegram, but it does not prominently warn users that information leaves the local environment. External transmission can leak browsing-derived content, summaries, internal notes, or accidentally included sensitive data to a third-party messaging platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The scheduled workflow automates fetching external data and sending the resulting brief to a web client/Telegram path without an explicit warning or confirmation step. Automated outbound messaging increases the risk of silent data exfiltration, repeated leakage, or unwanted posting if the content selection or environment is compromised.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends aggregated article metadata and selection criteria to external third-party services, including an LLM endpoint, without any visible consent boundary, minimization note, or warning. In many environments this can disclose reading interests, competitive intelligence focus, and internal prioritization logic to outside vendors, which is a meaningful privacy and business-sensitivity risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.