Security audit

Daily CEO Briefing Generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate news-briefing skill, but it needs Review because it under-discloses external AI calls, credential use, browser scraping, and local persistence.

Install only if you are comfortable with a skill that fetches many external sites, uses browser scraping including anti-bot behavior, writes local reports/cache files, and may send fetched content or repository metadata to MiniMax/OpenRouter when credentials are present. Review the API-key handling, use --no-save where possible, and avoid running it on sensitive internal URLs or private feeds.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (19)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises and documents execution of Python scripts that read/write local files, invoke shell commands, and fetch remote content, yet the skill metadata does not declare any permissions. This creates a transparency and governance gap: a host may authorize or route the skill as if it were low-risk while it actually performs privileged actions including network access and filesystem writes.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is a narrow daily tech/AI briefing workflow, but the described behavior is materially broader: multiple unrelated profiles, local report persistence, external LLM/API calls, GitHub caching, and page-body scraping via Playwright/Jina. This mismatch is security-relevant because users and policy engines may grant trust based on the narrow description while the skill performs wider collection, storage, and outbound data transfer than expected.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script deliberately makes Playwright traffic look less automated by disabling Blink automation indicators and setting a realistic desktop Chrome user agent, then explicitly handles Cloudflare challenge pages. In a news-aggregation skill this goes beyond ordinary RSS fetching and meaningfully increases the capability to bypass publisher anti-bot controls, which can enable unauthorized scraping and make downstream abuse harder to detect.

Context-Inappropriate Capability

High

Confidence: 80% confidence
Finding: The skill invokes auxiliary Playwright-based scraper scripts even though the stated workflow is simple RSS/JSON aggregation. This materially expands the trusted computing base and allows remote web content to drive a headless browser and downstream parser behavior, increasing exposure to browser automation abuse, SSRF-like internal fetches via the browser context, or local resource exhaustion if these helper scripts are compromised or overly permissive.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script reads API credentials from a fixed external workspace path outside the skill directory, creating unnecessary coupling to broader environment secrets. For a news briefing skill, this expands access beyond least privilege and can unintentionally expose or misuse credentials from the host workspace if the skill is reused in another context.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: This module introduces a third-party LLM call path driven by an environment API key, which is not clearly justified by the stated skill workflow of news/RSS aggregation and brief generation. Hidden capability expansion increases supply-chain and privacy risk because operators may deploy the skill without realizing GitHub project data will be sent to OpenRouter for enrichment.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The file implements GitHub Trending tracking, caching, and deep analysis, which expands the skill beyond the declared 28-source news aggregation use case. Undocumented feature scope is dangerous in agent skills because it can silently broaden collected data, network destinations, and operational behavior beyond what reviewers and users expect.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly advertises bypassing anti-bot protections and fetching full external page content for model processing, but it provides no warning about privacy, legal, or network-trust implications. In an agent context, this can cause the system to retrieve untrusted pages, expose internal network metadata or user browsing targets, and transmit third-party content into downstream model pipelines without informed consent or clear safeguards.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The skill hard-codes 'Simplified Chinese throughout' without any user-choice mechanism or documented business/locale justification. In a general news briefing skill, this can cause misleading or unusable output for users expecting another language, and may increase the chance that users miss important content or safety-relevant nuance because the system overrides their likely preferences.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script writes externally fetched content to disk by default without requiring explicit opt-in or providing a strong user-facing warning. Because the data comes from many remote sources and may contain sensitive, copyrighted, or unexpectedly large content, silent persistence can create confidentiality, compliance, and local data exposure risks, especially on shared systems or agent environments where report directories are accessible to other processes or users.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The script navigates Playwright to a caller-supplied URL with no validation, allowlist, or user disclosure, creating a generic outbound request primitive. In an agent skill this can be abused for SSRF-style access to internal services, probing of local network resources, or unexpected requests to attacker-controlled hosts, and the browser context increases the reachable attack surface compared with a simple RSS parser.

Missing User Warnings

Medium

Confidence: 72% confidence
Finding: The script persists fetched content to local disk by default for single-source runs without explicit opt-in. In an agent context, silent persistence can leak browsing/query history, scraped content, or other potentially sensitive operational data into predictable report directories, which is riskier than in a purely interactive local script.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill sends article URLs to the Jina Reader proxy to fetch content, which transmits externally sourced browsing targets and may expose internal or sensitive URLs if present in the JSON feed. Because this happens automatically and without disclosure or allowlisting, it creates privacy and data-governance risk and could be abused for unintended outbound requests.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script transmits aggregated article text, summaries, titles, and links to the MiniMax API without any user-facing notice or data minimization. If feeds ever contain proprietary, personal, or policy-restricted content, this external transfer could violate privacy expectations, contractual limits, or organizational handling rules.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Project metadata is transmitted to an external LLM API without any visible user-facing disclosure, consent, or data-handling control. In an agent-skill context, silent third-party transmission is risky because source content may contain sensitive internal repository names, URLs, or derived analysis context that operators do not expect to leave the local environment.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script unconditionally deletes the entire test_results directory with shutil.rmtree before recreating it. If the resolved path is unexpected due to symlinks, repository layout issues, or accidental execution in an unusual environment, this can destroy user data or CI artifacts without warning. In a testing utility this is more dangerous than usual because operators may run it routinely and assume it is harmless.

Missing User Warnings

Low

Confidence: 74% confidence
Finding: The template discloses automatic saving to `reports/YYYY-MM-DD/` but does not clearly warn users that the skill writes files into the workspace. In an agent setting, implicit file writes can surprise users, leak generated content into shared/project directories, or create unintended persistence of sensitive summaries.

Ssd 1

Medium

Confidence: 97% confidence
Finding: Untrusted article content is inserted directly into prompt material with no delimiter strategy, sanitization, or instruction/data separation. A malicious article can embed prompt-injection text such as requests to ignore prior instructions, alter output format, or smuggle misleading content into the generated briefing, degrading integrity of the final report.

Ssd 1

Medium

Confidence: 96% confidence
Finding: The final prompt concatenates multiple externally sourced sections into one large user instruction, so any malicious natural-language payload in feeds can compete with or override the intended briefing instructions. In this skill's context, that can produce manipulated executive summaries, omitted items, fabricated framing, or policy-defying output that appears authoritative.

VirusTotal

No VirusTotal findings

View on VirusTotal