weekly-ai-news

Security checks across malware telemetry and agentic risk

Overview

This skill coherently fetches public AI news feeds, creates local report files, and prepares an optional Feishu message without hidden sending behavior.

Install if you are comfortable with the skill contacting the listed news/RSS sites and writing report files under the chosen output directory. Review generated messages before sending them to Feishu, especially before adding any recurring cron or OpenClaw schedule.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises and documents capabilities that read/write local files and fetch remote RSS feeds, but it does not declare corresponding permissions in metadata. This creates a transparency and consent gap: users or platforms may not realize the skill performs filesystem access and network activity, especially when combined with automated execution and message delivery workflows.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The markdown instructs users to schedule automatic generation and Feishu sending, but it does not clearly warn that content will be transmitted to external services on a recurring basis. In a scheduled context, this increases the risk of unintended outbound sharing, data leakage, or silent network activity that persists after setup.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal