新闻联播

Security checks across malware telemetry and agentic risk

Overview

This skill fetches news hotspot data from one disclosed service and only offers scheduling after user approval.

Before installing, confirm you are comfortable with requests to hotspot.api4claw.com when you ask for 新闻联播 hotspot data. Treat the optional daily cron setup as a separate decision: review the schedule, recipient, channel, and message before approving it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger phrase is just “新闻联播”, which is broad and likely to appear in normal conversation unrelated to explicitly invoking this skill. That can cause accidental activation, unexpected external requests, and unplanned prompting for cron setup in contexts where the user did not intend to run the skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal