Back to skill

Security audit

AI News Simple

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward AI news briefing helper that fetches public news pages with curl and does not show hidden installation, persistence, credential access, or destructive behavior.

Install this only if you are comfortable with your agent contacting the listed public news sites to generate AI briefings. In corporate or privacy-sensitive environments, review outbound network policy first and treat fetched webpage content as untrusted source material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
93% confidence
Finding
The README explicitly promotes direct content extraction with curl but does not disclose that the skill will make outbound requests to multiple third-party news sites. This creates a transparency and consent issue: users may unknowingly trigger network access, leak metadata such as IP/user agent, or violate expectations in restricted/offline environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to perform outbound curl requests to multiple third-party news sites without warning that this will disclose network metadata such as IP address, user agent, timing, and possibly organizational egress patterns. In an agent environment, undocumented external connectivity is security-relevant because it can violate privacy, surprise operators, or conflict with network isolation expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.