newsnow

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward news-fetching CLI skill with normal caution needed around the external npm package and optional Product Hunt token.

Before installing, verify that the newsnow npm package is the one you intend to trust, preferably at a known version. Only set PRODUCTHUNT_API_TOKEN if you need Product Hunt results, keep it out of logs and prompts, and use the least-privileged token available.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The skill documents that PRODUCTHUNT_API_TOKEN is required but does not explicitly warn that using the producthunt source will send authenticated requests to an external third-party service. This can lead users to expose personal or organizational API credentials without understanding the data flow, especially in agent-driven environments where tool execution may be automatic.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal