Tmtpost News

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This news skill is not clearly malicious, but it asks the agent to install and run a remote CLI and touch API-key state, which is more authority than a simple news skill suggests.

Install only if you trust TMTPost and are comfortable with the skill downloading/running its CLI and managing an API key locally. Prefer installing the CLI yourself from a trusted source, verify the binary provenance, avoid running apikey-get in shared terminals, and review any update prompt before allowing the skill to replace executables.

SkillSpector (12)

By NVIDIA

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill invokes shell scripts and an external CLI, performs installation/update flows, and uses network-backed functionality, but it declares no permissions or trust boundaries. That creates an opaque execution surface: a user asking for news can trigger local command execution, binary installation, and API-key handling without an explicit permission model, increasing the risk of unintended code execution or secret exposure if the scripts/CLI are compromised.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The published description presents the skill as a simple news retrieval tool, but the instructions also direct the agent to discover/install/update an external executable, inspect the host environment, and manage API keys. This mismatch is dangerous because users and downstream systems may grant trust appropriate for a low-risk content skill while the skill actually performs higher-risk local execution and software installation, making social engineering and supply-chain compromise more plausible.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This helper code downloads a platform-specific executable, verifies it using a checksum fetched from a remote URL, then executes and installs it locally. That creates a full software update/install path inside a skill whose stated purpose is only fetching news, which materially expands trust boundaries and enables remote code execution if the download or checksum distribution path is compromised.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code searches the host PATH for a globally installed binary and executes it after only a basic help-command check. In an adversarial or misconfigured environment, a malicious or trojanized binary with the expected name could be picked up and run, giving the skill unintended access to arbitrary host code.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script checks API key state by executing the CLI's `apikey-get` command, which is a credential-retrieval path rather than a metadata-only status check. Even though it only parses presence and does not print the secret directly, invoking a credential-read command can expose secrets indirectly through process behavior, unexpected CLI output, logging, shell tracing, or a malicious/replaced CLI binary.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: This helper downloads a platform-specific executable, verifies it using a checksum fetched from a remote URL, then executes and installs it locally. Although checksum verification exists, both the binary and the checksum source are remote and there is no stronger trust anchor such as signature verification or pinned public keys, so compromise of the hosting origin or update channel could lead to arbitrary code execution on the user's machine.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The code discovers and executes external binaries using `which`/`where` and then runs the located CLI with `help`. In a skill whose stated purpose is news retrieval, executing arbitrary binaries found on PATH expands the attack surface and can be abused if PATH is manipulated or a trojanized executable with the expected name is present.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The script executes the CLI's `apikey-get` command and infers whether a credential is configured, which accesses credential/account state outside the core news-query behavior. Even though it does not print the key itself, probing credential presence can disclose sensitive environmental state to the caller and normalizes a broader permission scope than users would expect from a news skill.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The script auto-detects and executes a local or global `tmtpost-news-cli` binary with no user warning, trust validation, checksum verification, or explicit consent. In a skill context, this increases the risk of executing an unexpected or trojanized binary from the skill directory or PATH, which could perform arbitrary actions when `version` or other subcommands are invoked.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script queries API key state by running `apikey-get` without warning the user that a credential-accessing command will be executed. This is risky because users may not expect a status command to touch secret material, and a compromised CLI could use that invocation to exfiltrate credentials or trigger other side effects.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guide tells users to run a command that prints the stored API key to the terminal, which directly exposes a secret on screen and potentially in terminal scrollback, screen recordings, shared sessions, or shell logging setups. In a user-facing setup guide, this is risky because users may copy, share, or run the command in environments where others can observe the output.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The script runs external CLI subcommands (`help`, `version`, `apikey-get`) automatically and without any user-facing disclosure, so invoking the state checker may trigger access to account and credential state implicitly. In a skill context, silent inspection of local/global CLI state increases privacy risk and can surprise users or downstream tooling that expected a passive status read.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal