Back to skill

Security audit

daily-digest-ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AI-powered RSS digest tool, but it uses external AI APIs and can store an API key locally for convenience.

Install only if you are comfortable sending public RSS article metadata and summaries to your chosen AI provider. Use a dedicated low-limit API key, review or delete ~/.hn-daily-digest/config.json when done, and treat generated summaries as untrusted AI-written digest content rather than authoritative analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly requires network access and use of environment-provided API keys, yet only declares tools and not equivalent permissions/capability boundaries. This creates a transparency and policy-enforcement gap: users or hosting systems may not realize the skill can transmit data externally and consume secrets from the environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script allows OPENAI_API_BASE to point to any arbitrary endpoint, then sends prompts containing fetched article titles, descriptions, links, and model outputs to that endpoint with the supplied API key. This creates a configurable exfiltration path and trust-boundary break: anyone controlling environment configuration can redirect content and credentials to an unintended third party.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that API keys are automatically remembered in `~/.hn-daily-digest/config.json` without clearly warning users that sensitive credentials will be stored on disk. Persisting secrets locally increases exposure to credential theft from other local users, backups, malware, or accidental inclusion in support bundles and sync tools.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code transmits article titles, descriptions, and links to external LLM providers for scoring/summarization without any consent gate, warning, or data-handling notice. Even if the feeds are public, this still sends aggregated user-requested content and generated summaries to third parties, which can violate privacy, compliance, or deployment expectations.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill instructs persistent storage of a user-supplied API key in a local config file for reuse. Persisting secrets in plaintext under the home directory increases the risk of credential theft by other local processes, backups, accidental sharing, or later compromise of the host.

Ssd 1

Medium
Confidence
96% confidence
Finding
Untrusted RSS titles and descriptions are interpolated directly into the scoring prompt with no delimiter strategy or instruction telling the model to treat feed text as data only. A malicious feed can embed prompt-injection text that manipulates categorization, scoring, keyword extraction, or output structure, degrading integrity of the digest and potentially influencing downstream processing.

Ssd 1

Medium
Confidence
97% confidence
Finding
The summarization prompt includes untrusted article text and URLs directly, allowing malicious feed content to steer the model into producing misleading summaries, malformed JSON, or embedded instructions. Because these summaries are later reused in report generation and highlights, compromise here can propagate through the rest of the pipeline.

Ssd 1

Medium
Confidence
92% confidence
Finding
The highlights step summarizes previously model-generated summaries, so any prompt injection or malicious text that survives earlier stages can become a second-order injection in this prompt. This compounds integrity risk by letting poisoned intermediate outputs influence the final 'today's trends' narrative.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
export OPENAI_API_KEY="<your-openai-compatible-key>"
export OPENAI_API_BASE="https://api.deepseek.com/v1"  # Optional, default: https://api.openai.com/v1
export OPENAI_MODEL="deepseek-chat"                  # Optional, auto-detected if omitted
# Optional fallback:
export GEMINI_API_KEY="<your-gemini-api-key>"
Confidence
93% confidence
Finding
https://api.deepseek.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
export OPENAI_API_KEY="<your-openai-compatible-key>"
export OPENAI_API_BASE="https://api.deepseek.com/v1"  # Optional, default: https://api.openai.com/v1
export OPENAI_MODEL="deepseek-chat"                  # Optional, auto-detected if omitted
# Optional fallback:
export GEMINI_API_KEY="<your-gemini-api-key>"
Confidence
93% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
|----------|----------|-------------|
| `OPENAI_API_KEY` | Yes (one of the two) | OpenAI-compatible API key — primary provider (supports DeepSeek, 通义千问, 智谱, etc.) |
| `GEMINI_API_KEY` | No | Google Gemini API key — used as fallback when OpenAI fails. Get a free key at https://aistudio.google.com/apikey |
| `OPENAI_API_BASE` | No | Custom API base URL (defaults to `https://api.openai.com/v1`) |
| `OPENAI_MODEL` | No | Model name for OpenAI-compatible API (auto-detected from API base if omitted) |

> **AI provider selection:** The script uses `OPENAI_API_KEY` as the primary provider. If it fails (quota exceeded, network error), the script automatically falls back to Gemini (`GEMINI_API_KEY`). If only `GEMINI_API_KEY` is set (no OpenAI key), the script uses Gemini directly.
Confidence
91% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
| Provider | `OPENAI_API_BASE` | `OPENAI_MODEL` |
|----------|-------------------|----------------|
| DeepSeek | `https://api.deepseek.com/v1` | `deepseek-chat` |
| 通义千问 | `https://dashscope.aliyuncs.com/compatible-mode/v1` | `qwen-plus` |
| 智谱 GLM | `https://open.bigmodel.cn/api/paas/v4` | `glm-4-flash` |
| Groq | `https://api.groq.com/openai/v1` | `llama-3.3-70b-versatile` |
Confidence
90% confidence
Finding
https://api.deepseek.com/

External Transmission

Medium
Category
Data Exfiltration
Content
| DeepSeek | `https://api.deepseek.com/v1` | `deepseek-chat` |
| 通义千问 | `https://dashscope.aliyuncs.com/compatible-mode/v1` | `qwen-plus` |
| 智谱 GLM | `https://open.bigmodel.cn/api/paas/v4` | `glm-4-flash` |
| Groq | `https://api.groq.com/openai/v1` | `llama-3.3-70b-versatile` |

> `OPENAI_MODEL` is auto-detected from the API base URL. For DeepSeek it defaults to `deepseek-chat`; for others it defaults to `gpt-4o-mini`. Override with `OPENAI_MODEL` if needed.
Confidence
90% confidence
Finding
https://api.groq.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
export OPENAI_API_KEY="<key>"
export OPENAI_API_BASE="https://api.deepseek.com/v1"
export OPENAI_MODEL="deepseek-chat"
# Optional fallback:
export GEMINI_API_KEY="<fallback-key>"
Confidence
94% confidence
Finding
https://api.deepseek.com/

Session Persistence

Medium
Category
Rogue Agent
Content
cat ~/.hn-daily-digest/config.json 2>/dev/null || echo "NO_CONFIG"
```

If config exists and has a `geminiApiKey`, ask the user whether to reuse saved settings. After a successful run, save the current configuration using the Write tool to `~/.hn-daily-digest/config.json` with the following content:

```json
{
Confidence
97% confidence
Finding
Write tool to `~/.hn-daily-digest

Session Persistence

Medium
Category
Rogue Agent
Content
}
```

> Use the Write tool (not Bash) to save the config file for cross-platform compatibility.

---
Confidence
93% confidence
Finding
Write tool (not Bash) to save the config file for cross-platform compatibility. --- ## Interactive Flow ### Step 0: Check saved config ```bash cat ~/.hn-daily-digest

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/digest.ts:1053