Star Office

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real office-dashboard skill, but it combines public exposure, weak defaults, credential handling, and mutable status/asset features that need user review before installation.

Install only if you are comfortable running a local web dashboard that may be shared publicly. Before exposing it, set strong FLASK_SECRET_KEY and ASSET_DRAWER_PASS values, avoid the default 1234 password, restrict access with Cloudflare Access/basic auth/IP allowlists, and review what status text and memo files may reveal. Do not enter a Gemini API key unless you accept that the app stores and uses it server-side, and treat the desktop wrappers and asset upload features as experimental/admin-only surfaces.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (29)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: f"magick '{td}/f_*.png'{prep} " f"-tile {cols_eff}x{rows_eff} -background none -geometry +0+0 {quality_flag} '{out_path}'" ) rc = os.system(cmd) if rc != 0: raise RuntimeError("ImageMagick 拼图失败") return out_path, cols_eff, rows_eff, frames, out_fw, out_fh
Confidence: 98% confidence
Finding: rc = os.system(cmd)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: f"-vf '{vf}' " f"{ffmpeg_quality} '{out_path}' >/dev/null 2>&1" ) if os.system(cmd2) != 0: raise RuntimeError("ffmpeg 拼图失败") return out_path, frames, 1, frames, out_fw, out_fh
Confidence: 98% confidence
Finding: if os.system(cmd2) != 0:

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: if frames <= 0: cmd1 = f"ffmpeg -y -i '{upload_path}' '{td}/f_%04d.png' >/dev/null 2>&1" if os.system(cmd1) != 0: raise RuntimeError("动图抽帧失败（Pillow/ffmpeg 都失败）") files = sorted([x for x in os.listdir(td) if x.startswith("f_") and x.endswith(".png")]) frames = len(files)
Confidence: 97% confidence
Finding: if os.system(cmd1) != 0:

Tainted flow: 'STATE_FILE' from os.environ.get (line 15, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: } def save_state(state): with open(STATE_FILE, "w", encoding="utf-8") as f: json.dump(state, f, ensure_ascii=False, indent=2) if __name__ == "__main__":
Confidence: 93% confidence
Finding: with open(STATE_FILE, "w", encoding="utf-8") as f:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill directs the agent to execute shell commands, access environment variables, read and write local files, and expose the service publicly, yet it declares no permissions or constraints. This creates an unsafe mismatch between apparent scope and actual capabilities, making over-privileged or unintended execution more likely in an agent environment.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior materially exceeds the stated purpose of a simple one-click dashboard deployer by including asset-management APIs, API-key handling, local memo ingestion, desktop app control, service restart capability, and public exposure workflows. This hidden breadth increases the chance that users or orchestrators will trust and invoke the skill without understanding the full security-sensitive actions it can enable.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The backend exposes broad asset-editing and AI image-generation capabilities that materially exceed the stated office-board/status-visualization scope. Scope expansion increases attack surface, introduces destructive file modification features, and makes it easier to smuggle risky capabilities behind a benign-looking skill description.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The application stores a Gemini API key in runtime configuration and uses it for external image generation, which is not clearly necessary for the advertised office UI. Storing third-party credentials inside an app with broad file-editing endpoints increases the blast radius if the app or session auth is compromised.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The join-agent flow claims pending authorization but actually auto-approves any requester presenting a valid join key. This weakens the trust boundary: possession of a key becomes sufficient for immediate participation and status updates, contrary to the apparent security model and user expectations.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The Tauri command `open_external_url(url: String)` accepts an arbitrary string from the frontend and passes it directly to an OS-level URL opener (`open`, `cmd /C start`, or `xdg-open`). While this is likely intended for convenience, it enables unvalidated external navigation and execution of platform-registered URI schemes, which can be abused for phishing, unexpected app launches, or opening dangerous local/file/custom-protocol targets.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The page loads executable JavaScript from a third-party CDN at runtime, which introduces a supply-chain risk: if the CDN, package, or transit path is compromised, arbitrary code executes inside the Tauri webview. In this skill context, that is more dangerous than a normal website because the page can access Tauri APIs and invoke native commands such as load_map and read_state, potentially expanding compromise from UI code into local application capabilities.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The renderer can invoke `open_external_url` with an arbitrary `args.url`, and the main process passes it directly to `shell.openExternal()` without validation or allowlisting. If the renderer content is compromised, or if backend-served content can trigger IPC, this enables opening attacker-chosen URLs or URI schemes outside the app, which can facilitate phishing, unexpected app launching, or unsafe protocol handling.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The UI exposes Gemini API key configuration and triggers remote image/background generation, which materially expands the skill's capability from a simple office-board UI into a service that handles secrets and calls external AI infrastructure. This increases attack surface because users may paste sensitive API credentials into a feature whose storage, transmission, and trust boundaries are not clearly constrained in the UI.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The frontend exposes a callable function that sends a POST to /set_state and changes backend agent state directly from browser-side code. Because this is a dashboard/UI skill, embedding a live state-changing path in production-facing client code increases the chance of unauthorized or accidental manipulation, especially if the backend endpoint lacks strong authz and CSRF protections.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The comment states the control is for testing, but there is no visible debug-only guard before defining and exposing the live backend mutation path. Test helpers left active in shipped UI are dangerous because they create hidden administrative functionality that may be invoked by users, scripts, or attackers if the server accepts the request.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The page collects a GEMINI API key and sends it to the backend via /config/gemini, but the UI provides little clarity about storage, scope, retention, or who can later use that credential. In a publicly accessible office-board skill, this creates real credential-handling risk: users may disclose a sensitive key without informed consent, and any weak backend access controls would amplify exposure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly instructs users to expose the dashboard publicly via Cloudflare Tunnel and share the resulting URL, but it does not warn that the dashboard may reveal live agent activity, status text, and other operational metadata to anyone with the link. In the context of an agent dashboard, this omission can lead to unintended privacy and operational-security exposure, especially because users may treat the feature as a simple convenience rather than a data-exposure decision.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly instructs users to expose the dashboard via a public Cloudflare Tunnel URL and share the link, but it does not warn that the service may reveal live agent status, activity descriptions, guest agent presence, and possibly yesterday-memo content to anyone with the URL. In this skill’s context, the dashboard is specifically designed to visualize operational activity, so public exposure increases the risk of privacy leakage, reconnaissance, and unintended disclosure of internal workflow information.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly recommends exposing the service through a public Cloudflare Tunnel and sharing the resulting URL, but it does not prominently warn that the dashboard may reveal agent presence, status text, yesterday memo content, and possibly administrative functionality if authentication is weak or misconfigured. In a skill intended for quick one-click deployment by non-expert users, omission of security guidance materially increases the chance of accidental overexposure.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill repeatedly instructs the agent to proactively perform setup, state changes, and public exposure with minimal questioning, but it does not define hard stop conditions or approval boundaries. In an autonomous agent setting, broad activation guidance can lead to unreviewed command execution, environment changes, or internet exposure beyond what the user intended.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The template instructs an agent to make recurring outbound network calls and join a third-party office dashboard, but it does not clearly define when the template may be invoked, which agents it applies to, or what trust boundary checks must occur before use. In a skill context, ambiguous activation can cause unauthorized enrollment or repeated status exfiltration if the template is reused automatically or shown without strong gating and explicit user consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This command opens whatever URL the renderer supplies without any warning, confirmation, or trust boundary checks. In a desktop app with a webview frontend, any XSS, compromised UI component, or overly permissive frontend logic could silently send users to attacker-controlled sites or trigger unsafe protocol handlers.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Loading a remote script without any disclosure is primarily a trust and transparency issue, but here it also compounds the security risk because users are not informed that code will be fetched and executed from outside the packaged skill. In a Tauri-based desktop context, undisclosed remote-code loading is especially risky since the executed script may interact with privileged app APIs.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Arbitrary external URLs are opened from IPC with no user-facing warning, consent prompt, or destination verification. In an Electron app that loads backend content into renderer windows, this increases the blast radius of any renderer compromise or malicious content injection by allowing seamless redirection to phishing pages or dangerous custom URI handlers.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The code assigns fetched memo content directly to innerHTML after only replacing newlines, so any HTML returned by /yesterday-memo will be parsed and executed in the page context. If that endpoint can be influenced by an attacker or untrusted user input, this becomes a stored or reflected XSS issue that can steal tokens, manipulate the Electron/web UI, or pivot into more sensitive actions depending on app privileges.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal