AI News Digest by YQG

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only AI news digest skill whose web research and optional report delivery match its stated purpose.

Safe to install for AI news summaries. Use chat output by default, and only ask it to save a file or publish to Feishu after confirming the exact destination and permissions you intend to grant.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The activation triggers are broad enough to match generic requests like industry updates or news summaries, which can cause the skill to activate outside its intended scope. Over-broad invocation increases the chance of unintended web access and downstream actions such as report generation when the user did not explicitly ask for this specific capability.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly supports writing to Feishu documents and files, but it does not require an explicit confirmation step or warn the user before modifying external documents or saving data to disk. This can lead to unintended data persistence or external side effects, especially if the skill is auto-invoked or if the destination path/document is inferred incorrectly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal