Back to skill

Security audit

Fox Veille

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed RSS digest automation skill with optional LLM scoring and outbound delivery, but users should enable outputs and scheduling deliberately.

Install only if you want an RSS digest tool that can fetch public feeds and optionally send summaries externally. Keep outputs disabled until you verify recipients, file paths, token scope, and companion skills; treat feed text as untrusted even when using the LLM scoring and summary features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documents capabilities to read and write local files, access the network, and invoke subprocesses, but does not declare corresponding permissions in a machine-readable way. This creates a transparency and policy-enforcement gap: an agent or platform may invoke the skill without understanding its actual authority, increasing the chance of overprivileged or unexpected execution.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrases are broad natural-language requests like asking for recent news, which can cause the skill to activate in situations where the user did not intend external fetching, LLM scoring, or dispatch actions. In this skill, unintended invocation is more concerning because it can lead to network access, local state changes, and autonomous outbound delivery to Telegram, email, Nextcloud, or files.

Ssd 1

Medium
Confidence
92% confidence
Finding
The agent template explicitly recommends placing untrusted RSS-derived content into an LLM prompt for analysis. Because feed content is attacker-controlled, this can enable prompt injection that manipulates downstream agent behavior, especially in the documented workflow where the LLM summary is followed by dispatch actions and where the skill even advertises a wrapped listing 'ready for LLM prompt injection.'

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command, suspicious.dynamic_code_execution

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
README.md:217

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/dispatch.py:89