News Summary Voice

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only news briefing skill whose web feed fetching and optional voice output match its stated purpose, with some privacy and source-verification points to note.

Install only if you want an agent to fetch public news feeds and optionally speak or generate audio summaries. Verify the RSS sources you trust, avoid sending sensitive or private text to external TTS services, and enable any scheduled briefing behavior only through an explicit scheduler you can disable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases are broad enough to match common conversational requests like '新闻' or '今天发生了什么', which can cause the skill to activate in situations where the user did not explicitly consent to fetching remote content or generating audio. In this skill, unintended activation is more concerning because it may retrieve external RSS data and potentially route content through a TTS service without a clear warning.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The description does not warn users that the skill fetches data from third-party RSS feeds and may send text to a TTS service, which creates a transparency and privacy problem. Users may unknowingly trigger external network requests or content transfer to another service, particularly harmful in assistants expected to minimize undisclosed data sharing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal