Back to skill

Security audit

CCTV News Fetcher

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: fetch public CCTV news pages for a requested date, without hidden local data access or persistence.

Install only if you are comfortable with the skill making outbound requests to CCTV-related news pages when you ask it for news. For better transparency, the publisher should document the exact network domains and prefer reproducible installs, but the reviewed artifacts do not show behavior requiring Review or blocking.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to execute a local JavaScript crawler that fetches external content, which implies network access, but the skill does not declare that capability in its metadata. Undeclared network behavior reduces transparency and weakens permission review, making it easier for a skill to exfiltrate data or access remote content without clear operator awareness.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"description": "Fetch news from CCTV",
    "main": "scripts/news_crawler.js",
    "dependencies": {
        "node-html-parser": "^7.0.2"
    }
}
Confidence
90% confidence
Finding
"node-html-parser": "^7.0.2"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.