AI Daily Brief XHS

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AI-news briefing automation that searches public sources and posts/saves a daily summary, with no evidence of hidden exfiltration or destructive behavior.

Install this only if you want scheduled AI-news searches and brief delivery. Confirm the Feishu/current-session destination, review the separate Tavily helper it calls, and use dedicated Tavily/Bocha API keys rather than broad personal credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The manual trigger phrases are broad natural-language requests such as '昨天 AI 行业有什么大新闻' and '推送 AI 每日简报', which can be matched during ordinary conversation and unintentionally invoke the skill. In a messaging or assistant environment, this increases the risk of promptless or accidental execution, causing unwanted outbound queries and message posting.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal