Daily Report Generator

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent as a daily-report generator, but it has a real command-injection risk in its Git integration and broad execution/network permissions.

Review before installing. Use only trusted CSV/JSON files and repository paths, avoid paths containing shell metacharacters, and do not enable email delivery without checking recipients and report contents. The Git command should be fixed to avoid shell=True before this is used in sensitive environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """从Git仓库提取今日提交记录""" try: cmd = f'git -C "{repo_path}" log --since="{days} days ago" --pretty=format:"%h|%an|%s|%ad" --date=short' result = subprocess.run(cmd, shell=True, capture_output=True, text=True) if result.returncode != 0: print(f"[WARN] Git仓库读取失败: {result.stderr.strip()}") return []
Confidence: 99% confidence
Finding: result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill invokes a Python script with user-supplied paths and advertises file read, file write, and shell execution capabilities, but it declares no permissions. That creates a transparency and policy gap: users and the host system are not clearly informed that the skill can access local files and execute commands, which increases the chance of unintended data exposure or unsafe execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The skill’s stated purpose emphasizes report generation, but the documented behavior also includes reading Git history and sending reports via SMTP. Those are materially different data-access and outbound-transmission behaviors; if not clearly disclosed, users may trigger the skill without realizing it can inspect repositories and exfiltrate report contents externally.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The manifest requests `exec` permission even though the declared purpose is collecting work data and generating reports, which can typically be implemented without arbitrary shell execution. Unnecessary command-execution capability expands the attack surface: if any user-controlled input reaches scripts or subprocess calls elsewhere in the skill, it could enable command execution or abuse of the host environment.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill includes email-sending behavior beyond simple report generation, which expands its capability to exfiltrate generated content or sensitive work summaries to external recipients. In this context, daily reports may contain internal project status, risks, and support needs, so adding transmission functionality increases data-leakage risk significantly.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This code connects to external SMTP infrastructure, creating a network egress path not required for local report generation. Because the generated reports summarize internal work data, this can expose sensitive information externally if misconfigured, abused, or triggered unexpectedly.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The invocation phrases are broad and the README states the skill will trigger automatically, which can cause the agent to activate in response to ambiguous everyday language. In this skill’s context, automatic activation is more dangerous because the skill aggregates potentially sensitive work data from multiple sources and may generate or send reports without a clearly bounded user intent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README advertises automatic email sending of collected work data but does not clearly warn users that potentially sensitive internal project information may be transmitted outbound. In this context, the risk is elevated because the skill consolidates CSV/JSON/Git data, which may include confidential business details, and sending that data externally without explicit notice or consent can cause privacy or data leakage incidents.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger language includes broad phrases like wanting to summarize today's work, which could match ordinary conversation and cause unintentional activation. In a skill that reads local data sources and may later send output, accidental invocation increases the risk of collecting or processing sensitive work information without sufficiently informed user intent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill states that it automatically collects and analyzes data from multiple sources, but it does not present a clear user-facing warning about what data will be accessed and that reports may be sent externally. In an enterprise reporting context, those sources may contain sensitive project, personnel, or repository information, so omission of notice materially raises privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Describing automatic email sending without a corresponding warning or explicit confirmation is dangerous because it enables outbound transmission of potentially sensitive daily-report content. In this skill’s context, reports aggregate data from CSV, JSON, and Git sources, so a single action could disclose internal operational details to unintended recipients or misconfigured mail targets.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal