Back to skill

Security audit

Daily Ai Brief Skill

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate news-briefing purpose, but it uses broad scraping through unofficial third-party mirrors and an unsandboxed browser in ways users should review before installing.

Review the configured sources before running it, use it in a sandboxed environment if possible, and assume it will contact external sites, scrape third-party platforms, and save collected content locally. Avoid using it where scraping X/Twitter mirrors or unsandboxed browser automation would violate your security, privacy, or compliance requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes installation and execution of a program that reads configuration, writes report files, and fetches content from external network sources, but it does not declare corresponding permissions. That creates a transparency and consent gap: users may run a skill without understanding its file-system and network access, increasing the chance of unintended data exposure or unsafe execution in sensitive environments.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose frames the skill as collecting from 'reliable' AI news sources and producing a Markdown brief, but the described behavior is materially broader: X/Twitter scraping, dynamic browser automation, third-party Nitter access, arbitrary configured APIs/websites, and JSON file generation. This mismatch is dangerous because it can mislead users about the trust boundary, the volume and type of external interactions, and the local artifacts created when they run the skill.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code launches Playwright with explicit anti-automation evasion settings, disables sandbox protections, spoofs browser traits, and uses it to scrape X/Twitter through third-party mirrors. For a news-brief skill, this exceeds minimally necessary behavior and introduces compliance, detection-evasion, and browser-execution risk if untrusted pages are loaded or the runtime is multi-tenant.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The fetcher iterates across multiple unofficial Nitter instances, some noted in comments as having certificate or connectivity problems. Depending on untrusted mirrors increases the chance of manipulated content, privacy leakage to third parties, and ingestion from compromised or deceptive sources, which is especially risky for an automated news-generation pipeline claiming reliable sources.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises RSS collection, social-media monitoring, web scraping via Playwright, API access, and report generation, but does not clearly warn users that running the skill performs outbound network access, collects third-party content, and writes files locally. In an agent-skill context, missing disclosure can cause users to invoke the skill without informed consent, increasing privacy, compliance, and operational risk even if the underlying behavior is expected for the tool's purpose.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The feature list emphasizes aggregation benefits but omits an upfront warning that the skill connects to multiple external services and collects data from third-party platforms. In a security context, that omission matters because network collection can expose IP metadata, trigger access to untrusted content, or violate user expectations about outbound connectivity.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The documentation notes that reports are generated in the reports directory, but the static finding is valid in that there is no clear safety warning about local disk writes before execution. This is lower severity than network risks, yet it can still matter in restricted or sensitive environments where local artifact creation may leak data, consume storage, or conflict with user expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.