my-daily-news

Security checks across malware telemetry and agentic risk

Overview

This skill runs a small local Python script to fetch public news/trending headlines from Baidu and Google Trends, with no evidence of hidden data access or persistence.

Install only if you are comfortable running a local Python script that contacts Baidu and Google Trends and returns their headlines. Prefer using a virtual environment, review or pin the Python dependency versions, and remember that returned headlines are remote content rather than locally generated facts.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill invokes a Python script that fetches news from external sources like Baidu and Google, which implies network access, but the manifest declares no corresponding permissions. This creates a transparency and policy-enforcement gap: users or platforms may approve the skill without realizing it performs outbound network requests, and any remote content fetched is then returned directly to the user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal