The Daily Catch Newscast Studio

Security checks across malware telemetry and agentic risk

Overview

This skill coherently turns user-provided text into a short news script and can optionally call a local voice tool when the user provides an authorized voice reference.

Install only if you are comfortable letting the skill read the source files you choose and write output files to the selected directory. Use audio rendering only with a voice reference you are authorized to use, and remember that the external OmniVoice CLI runs locally outside this skill's code.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill invokes local file reads/writes and shell execution via `python scripts/render_newscast.py` and optional `omnivoice-infer`, but it declares no permissions. That mismatch is a real security issue because users and enforcement systems are not informed that the skill can access local files and launch commands, increasing the chance of unintended file access or command execution in a trusted workflow.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal