Security audit

newsmcp

Security checks across malware telemetry and agentic risk

Overview

This is a simple news-query skill that uses a disclosed external news API and does not request credentials, local files, persistence, or elevated access.

Install this if you are comfortable with your news queries and filters being sent to newsmcp.io. Avoid using highly personal or identifying search terms, and verify important news against trusted primary sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill encourages sending user requests directly to an external third-party API ('Just call the API') without a clear user-facing disclosure at the point of use. This can cause unintentional transmission of user interests, locations, or sensitive query text to an external service, creating a privacy and transparency risk even though the API itself appears read-only.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal