Design Daily

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: fetch design news, summarize it with Serper and DeepSeek, and save local brief outputs.

Use dedicated low-limit Serper and DeepSeek keys, keep the generated .env file private, and run preview mode first if you want to inspect behavior before saving outputs. Only add the cron schedule if you intentionally want daily recurring API calls and local log files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: os.environ["SERPER_API_KEY"] = serper_key os.environ["DEEPSEEK_API_KEY"] = deepseek_key os.chdir(BASE_DIR) os.system(f"{sys.executable} {BASE_DIR / 'run.py'}") if __name__ == "__main__":
Confidence: 92% confidence
Finding: os.system(f"{sys.executable} {BASE_DIR / 'run.py'}")

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill requires environment variables, reads and writes local files, performs network access, and instructs users to run shell commands, yet it does not declare corresponding permissions. This creates a transparency and consent problem: users and hosting platforms cannot accurately assess or constrain what the skill can access before execution. In this context, the behavior appears aligned with the stated functionality of fetching news and generating briefs, so the issue is more likely under-declared capability disclosure than overtly malicious behavior.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script writes API credentials to a plaintext .env file in the project directory. Storing secrets unencrypted on disk increases the risk of accidental disclosure through file sharing, backups, source control, or permissive filesystem access.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: After configuration, the installer offers to execute run.py immediately, which gives the setup flow an execution capability beyond simple configuration. In a skill ecosystem, auto-running another script during setup is riskier because users may not expect post-install execution with access to freshly entered secrets.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code sends raw source material, including titles, snippets, URLs, roles, and possibly user-priority or favorite-designer metadata, to an external LLM API without any visible consent, disclosure, or data-minimization controls in this file. If upstream content includes private or sensitive information, this causes unintended third-party data exposure.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script validates API keys by sending them to external services, but it does not clearly disclose to users that their secrets will be transmitted over the network during verification. This creates a transparency and consent issue around secret handling and may expose credentials to logging or monitoring at third-party services.

External Transmission

Medium

Category: Data Exfiltration
Content: if not DEEPSEEK_KEY: raise EnvironmentError("DEEPSEEK_API_KEY 未设置，请检查环境变量") resp = requests.post( DEEPSEEK_URL, headers={ "Authorization": f"Bearer {DEEPSEEK_KEY}",
Confidence: 86% confidence
Finding: requests.post( DEEPSEEK_URL, headers={ "Authorization": f"Bearer {DEEPSEEK_KEY}", "Content-Type": "application/json", }, json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal