每日新闻

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward daily-news lookup tool that only makes disclosed requests to a news API, with a minor caveat that broad news-related wording may trigger it more often than expected.

Install if you are comfortable with the skill contacting api.cjiot.cc when you ask for news or article details. Avoid including personal information in news queries, and be aware that generic news-related phrases may be enough to invoke it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger conditions are overly broad, including generic keywords like “新闻”, “日报”, and “头条”, which can cause the skill to activate during ordinary conversation unrelated to an explicit request to use this skill. Mis-triggering can lead to unintended outbound requests to the third-party API and unnecessary disclosure of user intent or context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal