ai-news

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward daily-news lookup tool that only calls a disclosed third-party news API and does not access local files, credentials, or persistent settings.

Install it if you are comfortable with api.cjiot.cc receiving the dates or article IDs you request. Treat returned article content as untrusted news text, not as instructions for your agent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger conditions are overly broad, including generic keywords like “新闻”, “日报”, and “头条”, which can overlap with normal conversation and cause unintended skill activation. In an agent environment, this can lead to unsolicited outbound requests to the external news API and inappropriate context switching away from the user’s actual task.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal