每日要闻

Security checks across malware telemetry and agentic risk

Overview

This is a normal daily-news skill that calls a disclosed news API, with only a minor risk of activating on broad news-related words.

Install if you are comfortable with a third-party news API being contacted when you ask for news. Consider narrowing the trigger wording or requiring explicit confirmation if accidental news lookups would be disruptive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger conditions are overly broad, including generic keywords like “新闻”, “日报”, and “头条”, which can match ordinary conversation and cause unintended activation of the skill. This is primarily a security-relevant safety issue because accidental invocation can lead to unsolicited external API requests and incorrect context handling, though it does not directly enable code execution or data exfiltration beyond the intended news query.

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal