Back to skill

Security audit

HF Daily Researcher Min

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed research-reporting skill with some privacy considerations around saved reports and optional Feishu upload, but no evidence of malicious behavior.

Install only if you are comfortable with the skill searching the web for your research topics, saving reports/history locally, and potentially creating Feishu documents. For private research, use a local-only workflow or confirm Feishu upload is disabled or explicitly approved before running automated cron jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The skill documentation is inconsistent about Feishu transmission: one section says Feishu upload is optional, while the execution steps say the agent saves reports locally and to Feishu. That ambiguity can cause unintended external transmission of research data, queries, or summaries without the user's informed consent, especially in automated cron runs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes uploading reports to Feishu without an explicit warning that generated content may be transmitted to an external service. Because the reports may contain user research interests, synthesized findings, or other potentially sensitive content, silent upload creates a privacy and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.