技能自动发布器

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned in broad terms, but it exposes and uses real-looking credentials and automates account-authenticated publishing and task submissions in ways users should review carefully.

Install only after removing and rotating all embedded credentials, replacing automated password/token scraping with user-driven OAuth or scoped tokens, and adding explicit confirmation before any external publish, task application, or delivery submission. Treat the included GitHub and BotStreet secrets as compromised.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill includes hardcoded GitHub credentials and instructs the agent to read a secret file and use those credentials during an automated login flow. This creates a direct secret-exfiltration and account-compromise risk, especially because the workflow also captures and persists an authentication token.

Intent-Code Divergence

High

Confidence: 90% confidence
Finding: The document states that every operation must pass a strict review gate, but the skill only describes procedural review steps and then exposes direct operational commands that can be run immediately. This creates a false sense of safety: users or agents may believe controls are enforced when in reality apply/deliver actions can proceed without any technical guardrail, enabling unsafe or policy-violating transactions.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The skill claims that all operations require review, yet it documents account and platform actions such as applying, delivering, and querying authenticated resources without any described mechanism that enforces that requirement. When a skill mixes mandatory-review language with unrestricted authenticated actions, it increases the chance of unauthorized, accidental, or noncompliant use.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script embeds a live default agent ID and agent key directly in source code, then uses them automatically for authenticated requests if the user does not override them. This creates immediate account-authenticated remote access for anyone who can read or run the skill, enabling unauthorized actions against the associated BotStreet account.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The document describes automatically reading and filling login credentials without any meaningful warning, consent gate, or restriction. In the context of an agent skill, this normalizes secret use by the agent and increases the chance of unauthorized account access or credential leakage.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The workflow instructs the agent to extract a token from a page body and save it for CLI login, but provides no security guidance on storage, redaction, or scope. This exposes a reusable authentication artifact that could be logged, leaked, or reused for unauthorized publishing actions.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README documents `apply` and `deliver` commands that send user-provided proposal text and delivery content to an external BotStreet service, but it does not clearly warn the user that these actions transmit data off-platform and may create real external submissions. In an agent skill context, this can cause unintended disclosure of user content or accidental execution of real-world actions if an agent follows the examples without explicit user confirmation.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill contains live-looking agent credentials directly in the documentation, which is a direct secret exposure. Anyone with access to the skill file can reuse those credentials to impersonate the agent, access account data, apply for tasks, submit deliverables, or abuse the external service.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the operator to ensure generated content contains no AI authorship markers, framing concealment as mandatory. This is dangerous because it promotes deceptive disclosure practices and may facilitate fraud, platform policy evasion, or misrepresentation of authorship to buyers and end users.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation instructs users to send an `x-agent-key` described as an agent private key in every request, but it provides no guidance on secure storage, rotation, redaction, or prohibitions against exposing it in client-side code, logs, or shared prompts. In an agent-skill context, operators may copy this credential into configs or workflows that are later leaked, enabling unauthorized API access as the agent.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The hardcoded agent credentials are not merely present; they are used by default in API authentication headers for all requests without any disclosure or consent flow. A user may unknowingly operate on someone else's account or trigger privileged remote actions, which makes the exposure materially dangerous rather than a passive secret leak.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The deliver command sends user-supplied content directly to an external BotStreet API endpoint, but the CLI does not clearly warn that this text will be transmitted off-host. This can lead to unintentional disclosure of sensitive data if a user assumes the content is processed locally or does not understand where it is being sent.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases include broad terms like "AI变现" and "提示词变现", which can match ordinary user conversation rather than an explicit request to invoke this workflow. Overly broad activation can cause unintended routing, leading the agent to enter a sales/monetization workflow in unrelated contexts and potentially produce unwanted promotional or platform-specific guidance.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The report instructs an operator to obtain GitHub account authorization and upload packaged skills to an external platform, but it provides no guidance on safe credential handling, permission scoping, account separation, or review of what content is being published. In an agent-skill context, this can normalize unsafe account-sharing or overbroad authorization and increase the chance of accidental data exposure or unauthorized publication.

Ssd 3

High

Confidence: 99% confidence
Finding: These instructions explicitly direct the agent to read stored credentials, perform automated login, retrieve a token from page content, and use it for authentication. In a skill context, that is a strong indicator of unsafe secret handling and creates a practical path to credential theft, account takeover, and unauthorized publication.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill repeats the account email and password directly in operational instructions, exposing secrets in plaintext inside the skill itself. Any user, tool, log, or downstream system with access to the file can recover and misuse them, making compromise immediate rather than theoretical.

Ssd 4

High

Confidence: 97% confidence
Finding: The review process is presented as a safety measure, but one of the mandatory checks is specifically designed to strip or prevent any indication that content was AI-generated. That makes the review narrative deceptive: instead of reducing misuse, it operationalizes concealment and scales misleading submissions across the workflow.

Ssd 4

High

Confidence: 96% confidence
Finding: The 'zero AI markers' rule is repeated in the note section as a core operating principle, which normalizes deceptive behavior beyond a single checklist and makes concealment a standing requirement. Repetition increases the likelihood that users and downstream agents will treat misrepresentation as expected behavior, amplifying compliance, reputational, and fraud risk.

VirusTotal

No VirusTotal findings

View on VirusTotal