Security audit

久吾消息网关

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends internal company messages through a configured Jiuwu gateway, with clear but nonzero risk around batch sends and plain HTTP defaults.

Install only if you trust the Jiuwu gateway and publisher. Configure JIUWU_MESSAGE_GATEWAY_URL for your environment, prefer HTTPS or a protected internal network, and double-check recipients and message text before any send, especially comma-separated batch sends.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares capabilities to read environment variables, access files, and perform network calls, but does not declare any permissions or constraints. This weakens governance and review because a messaging skill can access configuration and send outbound requests without explicit user-visible authorization boundaries.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger description is broad enough to match many generic requests about notifying, reminding, or messaging coworkers, which can cause the skill to activate when the user did not clearly intend to send an internal message. In this context, accidental activation is risky because the action has real-world side effects and supports batch delivery to employees.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill description does not prominently warn that it can send messages to internal employees, including batch delivery, which obscures the sensitivity and impact of the action from users and reviewers. In a corporate environment, this increases the chance of misuse, social engineering, spam, or accidental broad distribution of misleading or sensitive content.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script sends recipient identifiers and message content over plain HTTP by default, which exposes potentially sensitive internal communications to interception or tampering by anyone with network visibility. The risk is amplified because the default endpoint is a private IP over cleartext and the user is not warned that data will be transmitted insecurely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.