Back to skill

Security audit

Fomo News

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward news and GitHub trend fetcher that makes disclosed outbound requests and does not show hidden persistence, destructive behavior, or credential misuse.

Install only if you are comfortable with the skill contacting public news, RSS, blog, Google News, and GitHub endpoints. It can run without a GitHub token; if you provide one, use a low-scope token because public repository search does not require broad permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest includes very broad regex trigger patterns such as requests for 'news', 'updates', 'what's happening', and 'trending', which can match many ordinary user prompts. This can cause the skill to activate unexpectedly and intercept queries that were not clearly intended for this tool, increasing the chance of inappropriate tool invocation and unintended external network access.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/fetch.mjs:46