Skills
skills/noizai/skills/daily-news-caster/Gen Agent Trust Hub

daily-news-caster

Warn

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructions require the installation of a dependency from an unverified third-party GitHub repository (https://github.com/cclank/news-aggregator-skill). While the noizai repository is a vendor-owned resource, the cclank repository is an unknown third party.
  • [COMMAND_EXECUTION]: The skill workflow executes multiple shell commands (npx, python3, bash, ffmpeg). In Step 4, it passes AI-generated text—which is derived directly from external, untrusted news sources—into a shell command argument: bash path/to/tts.sh speak -t "...". If the external news content contains shell metacharacters (such as backticks, semicolons, or dollar signs), it could lead to command injection on the host system.
  • [COMMAND_EXECUTION]: The skill uses ffmpeg with the -safe 0 flag to concatenate files listed in list.txt. While this is used for merging audio segments, the -safe 0 flag allows the demuxer to access any file path, which could be exploited if the contents of the file list are manipulated.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 19, 2026, 10:39 AM