Security audit

GARSS Studio RSS API

Security checks across malware telemetry and agentic risk

Overview

The skill is a mostly coherent RSS API helper, but it gives an agent broader local setup and authenticated mutation authority than a read-focused news skill should have without clearer user approval.

Install only if you are comfortable letting an agent operate a local GARSS Studio instance. Use a trusted base URL, keep the access code and Bearer token private, require explicit approval before Docker startup or any create/update/delete/settings action, and stop local containers when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The documented API exposes create, update, and delete capabilities that exceed the skill's stated purpose of reading, refreshing, summarizing, and inspecting RSS content. In an agent setting, this scope mismatch is dangerous because an agent granted this skill could mutate subscriptions, categories, or settings contrary to user intent, increasing the chance of unauthorized state changes or data loss.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Administrative configuration endpoints for settings and category management are not necessary for the declared news-reading use case. This broadens the operational blast radius: an agent intended only to inspect news could reconfigure refresh cadence, parallelism, or taxonomy, potentially disrupting service behavior or user organization.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly documents a default access code of "banana" and instructs agents to use it if no other credential is supplied. Even in a local-dev context, embedding and normalizing a shared default secret encourages insecure deployments, accidental reuse, and unauthorized access if the service is exposed beyond localhost or copied into other environments.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill tells the agent to clone a repository, copy environment files, and launch Docker services, all of which are system-changing operations that may pull untrusted code, create containers, modify local files, and expose services. Without an explicit confirmation step or warning, an agent could perform impactful actions on a user's machine when the user only intended read-only RSS access.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: Delete endpoints are documented without any warning about permanent removal of subscriptions and cached reader data. In a human-only API this is a documentation quality issue, but in an agent skill it materially increases the risk of accidental destructive actions because the model may not infer the consequences from terse endpoint descriptions alone.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal