Security News Feed

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real security-news automation skill, but it needs review because it can run unattended, use credentials, publish externally, and archive Notion content with some under-disclosed behavior.

Install only with dedicated low-privilege credentials and a dedicated Notion database. Confirm that sending article content to z.ai/GLM is acceptable, keep Tistory publishing disabled unless you intend to use a logged-in Chrome profile, and review or disable the 90-day Notion archiving and automatic file-upload behavior before scheduled use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (29)

Tainted flow: 'current_url' from requests.get (line 198, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: current_url = response.url for _ in range(3): # 최대 3회 추가 리다이렉트 시도 try: resp = requests.get(current_url, headers=self.headers, timeout=5, allow_redirects=False) if resp.status_code in [301, 302, 303, 307, 308] and 'Location' in resp.headers: next_url = resp.headers['Location'] if 'google.com' not in next_url:
Confidence: 93% confidence
Finding: resp = requests.get(current_url, headers=self.headers, timeout=5, allow_redirects=False)

Tainted flow: 'upload_url' from requests.post (line 1794, network input) → requests.post (network output)

Medium

Category: Data Flow
Content: files_payload = {'file': (file_name, f, mime_type)} upload_response = requests.post( upload_url,
Confidence: 95% confidence
Finding: upload_response = requests.post( upload_url, headers=upload_headers_for_step2, files=files_payload, timeout=120

Tainted flow: 'upload_url' from requests.post (line 1794, network input) → requests.post (network output)

Medium

Category: Data Flow
Content: print(f" [DEBUG] 파트 {part_number} 요청 URL: {upload_url}") print(f" [DEBUG] 파트 {part_number} part_number 값: {part_number}") upload_response = requests.post( upload_url, # ← 쿼리 파라미터 없음 headers=upload_headers, files=files_payload,
Confidence: 95% confidence
Finding: upload_response = requests.post( upload_url, # ← 쿼리 파라미터 없음 headers=upload_headers, files=files_payload,

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The docstring claims the script only checks database connectivity, but the code also performs a state-changing write by creating and archiving a page. This mismatch can mislead users or automation into running a script they believe is read-only, causing unintended modification of external data and use of write-scoped credentials.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: This test script reads a .env file from a user workspace before running multiple crawlers, which grants the script access to whatever secrets or configuration happen to be stored there. Even if the current file does not explicitly exfiltrate credentials, loading secrets without a clearly scoped need increases exposure and can enable downstream components to use those credentials unexpectedly.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The crawler explicitly disables Chrome Safe Browsing while automatically downloading files from a remote site. That removes a built-in protection layer against malicious or deceptive downloads, which is risky even if the intended target is a legitimate government site, because browser content and linked files are still remote and changeable.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code executes page-derived JavaScript download commands via driver.execute_script using parameters extracted from the page. Even though it is intended to trigger site downloads, it trusts remote page behavior and enables active script-driven actions in the browser, expanding the attack surface if the page is compromised or unexpectedly altered.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: This test script reads a user-scoped .env file from the home directory even though its stated purpose is only to run crawler tests. Pulling in environment configuration can expose credentials or sensitive service endpoints to code paths that do not clearly require them, expanding the blast radius if any imported crawler or dependency logs, transmits, or misuses those values.

Intent-Code Divergence

Low

Confidence: 78% confidence
Finding: The file presents itself as a crawler test, but it also accesses user environment configuration from a persistent home-directory path. That mismatch makes the behavior less transparent and can cause operators to run it with lower scrutiny, increasing the chance that secrets are unnecessarily exposed during testing.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The test script unconditionally loads a workspace-scoped .env file before running crawlers, even though the visible purpose is only end-to-end crawler testing. This can expose secrets to imported crawler code or any downstream network activity, expanding the blast radius of a simple test run beyond what a user would reasonably expect.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The script explicitly loads a local .env file from the user's home workspace, which is a credential/config access operation. In a test script that also performs crawling, LLM processing, and publishing, this creates undisclosed access to potentially sensitive tokens and increases the chance that credentials are used or exposed without clear user consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly describes collecting news, summarizing it, and publishing it to Notion and optionally Tistory, but the user-facing description does not clearly warn that collected content may be sent to external third-party services. This can cause users to trigger the skill without realizing their prompts, collected URLs, summaries, or derived content may be transmitted or published outside the local environment.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The pipeline silently loads credentials from a user-local .env file without any disclosure or consent prompt. In an agent/skill context, hidden credential use is risky because users may not realize the skill will access local secrets and use them for downstream external actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code sends full article content and titles to external LLM functions for summarization and analysis without any visible disclosure, filtering, or data-classification checks. Even if the articles are intended to be public, this establishes a pattern of silent outbound data transfer to a third-party processing service, which can become dangerous if crawled content contains sensitive or restricted material.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script automatically publishes generated content to Notion, causing remote writes without any user-facing confirmation or dry-run mode. In an automation/agent setting, silent publication can lead to unintended data disclosure, workspace pollution, or misuse of authorized integrations.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: This module performs authenticated write operations to Notion, including creating pages, updating counts, appending linked content, and archiving stale pages, without any explicit confirmation, dry-run mode, or user-visible disclosure at the point of action. In an agent/skill context, silent destructive or state-changing behavior is security-relevant because it can alter external systems and delete or archive content unexpectedly if triggered with the configured bearer token.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The crawler is configured to download files automatically with prompts suppressed and no meaningful user confirmation. In combination with headless execution, this can silently fetch untrusted files and makes accidental or malicious bulk download behavior harder to detect and control.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The crawler disables TLS certificate verification on outbound HTTPS requests with verify=False. This allows a man-in-the-middle attacker to intercept or modify responses, which can poison scraped content, redirect downloads, or feed malicious data into downstream systems such as the publisher service or Notion pipeline.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The crawler downloads remote images with requests.get(..., verify=False), which disables TLS certificate validation. This allows a man-in-the-middle attacker or hostile network device to intercept and alter downloaded content, potentially causing the system to ingest malicious files or poisoned data from what appears to be a trusted HTTPS source.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The crawler fetches article pages with requests.get(..., verify=False), which disables TLS certificate validation and allows a man-in-the-middle attacker to intercept or modify HTTPS traffic. Because this code ingests security advisories and republishes their content and attachment references, a network attacker could tamper with trusted-looking security information or inject malicious links into downstream systems.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The crawler downloads image content from page-controlled URLs using requests.get(..., verify=False), which disables TLS certificate validation. That allows a man-in-the-middle attacker or hostile network to spoof the remote server and supply tampered content, and because the crawler later stores and republishes downloaded files, the untrusted content may be propagated into downstream systems.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The crawler invokes curl with -k, which disables TLS certificate validation for the initial page fetch. This allows a man-in-the-middle attacker or hostile network environment to tamper with fetched HTML, causing the crawler to ingest spoofed content or malicious links while treating them as trusted source data.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The detail-page fetch also uses curl -k and consumes article_url derived from previously fetched page content. If the listing page is tampered with, the crawler may follow attacker-supplied links over an unverified TLS connection and ingest malicious content, increasing the risk of data poisoning and unintended outbound requests.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The function sends article title, URL, summary, and generated content inputs to a third-party LLM service without any visible consent gate, minimization, or sensitivity filtering in this module. In a content-processing pipeline, this can expose proprietary, personal, or otherwise sensitive data to an external provider and may violate privacy, contractual, or compliance requirements.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This module writes logs to a persistent file by default and multiple helper functions include user-controlled titles and raw error strings in log messages. In a security aggregation context, titles or exception messages can contain sensitive data, internal paths, tokens, or incident details, creating an information disclosure risk if logs are retained broadly or read by unauthorized parties.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal