Is daily-ai-news-skill safe?

The skill instructs the agent to fetch full article content from 10-15 external URLs per session using mcp__web_reader__webReader. Fetched web pages could contain adversarial instructions embedded in article text, HTML comments, or invisible elements that the LLM would process as part of its context. This is the most common attack vector for news/web-reading skills.

The skill hardcodes 6 primary news source URLs and instructs the agent to fetch them directly. If any of these domains are compromised or serve adversarial content, the agent would process it. While these are reputable sites, the lesser-known 'ai.hubtoday.app' has a smaller reputation footprint.

The skill instructs the agent to execute 2-3 web search queries per session, then fetch full articles from the top results. Search results are less controlled than direct URL fetches, as any indexed page could appear in results and contain adversarial content.

Network monitoring captured a TLS connection to 216.150.1.1:443 during the install window. While this is likely a system-level operation (Ubuntu package check or similar), it could not be definitively attributed to either the OS or the skill installation process.

The skill activates on common phrases like 'AI news', 'AI updates', 'latest developments', and Chinese-language equivalents. This broad triggering means the skill (and its web-fetching behavior) could activate more frequently than the user intends, increasing cumulative exposure to indirect prompt injection.

If this skill is installed alongside skills that have filesystem write or shell execution capabilities, adversarial content fetched from web pages could potentially instruct the agent to use those other tools for malicious purposes (e.g., 'write this to ~/.ssh/authorized_keys'). The skill itself has no such capabilities, but it widens the injection surface.