Back to skill

Security audit

AI新闻资讯

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward TianAPI AI-news helper, with some credential-handling and documentation hygiene issues but no evidence of hidden, destructive, or unrelated behavior.

Install only if you are comfortable sending your TianAPI API key and search terms to TianAPI. Prefer injecting the key through an environment variable or a secret manager, avoid passing it on the command line, and do not commit scripts/.env. Expect setup friction unless the environment variable name and command examples are corrected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The API key is placed in the URL query string, which can be exposed through logs, proxies, browser/history-like tooling, monitoring systems, or error messages even when HTTPS is used. This is especially relevant for agent integrations where command invocations and request URLs are often captured for debugging or telemetry.

Credential Access

High
Category
Privilege Escalation
Content
# 方式一:环境变量(推荐,一次配置永久生效)
    export TIANAPI_AI_NEWS_KEY=你的APIKey

    # 方式二:.env 文件(在脚本目录创建)
    echo "TIANAPI_AI_NEWS_KEY=你的APIKey" > scripts/.env

    # 方式三:每次命令行传入
Confidence
92% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
export TIANAPI_AI_NEWS_KEY=你的APIKey

    # 方式二:.env 文件(在脚本目录创建)
    echo "TIANAPI_AI_NEWS_KEY=你的APIKey" > scripts/.env

    # 方式三:每次命令行传入
    python3 scripts/fetch_ai_news.py 你的APIKey 10 大模型 1
Confidence
71% confidence
Finding
.env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.