GitHub AI Daily Report

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed daily AI-report workflow that sends and archives generated reports in user-configured Feishu destinations.

Install only after setting the Feishu user ID and document tokens to destinations intended for automated reports. Review the generated report before relying on it, and use a dedicated archive/backlog document so accidental inserts are easy to identify and reverse.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs sending generated content to a Feishu user and modifying Feishu documents without an explicit consent/confirmation step or a warning that data will be transmitted to external services and persisted. This can cause unintended disclosure of sensitive prompt contents, internal analysis, or user data, and can trigger unauthorized document changes if the skill is run in the wrong context or with stale configuration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal