cpbox-news-search

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only paid news-search skill with disclosed x402 payment behavior and no hidden code or local data access.

Install only if you intentionally want a paid news-search API. Before use, review the external x402 setup and payment helper, confirm the payment requirements and cost, and use spending limits or a low-balance wallet when automatic payments are enabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The description 'USE FOR news search' is broad and generic, which can cause an agent to invoke the skill in many loosely related situations without enough user intent verification. Because this skill triggers paid x402-backed requests, over-broad activation increases the chance of unnecessary external calls and unintended spend.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Although the document mentions 'Paid News Search proxy via x402 pay-per-use' and prerequisites, it does not prominently and repeatedly warn that normal use of the skill can incur charges on invocation. In an agent setting, insufficient payment disclosure can lead to silent or surprising paid requests, especially when combined with broad activation criteria.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal