Security audit

设计框架套件 - 主控路由

Security checks across malware telemetry and agentic risk

Overview

This skill is a mostly coherent Telegram/OpenRouter design automation suite, but it needs Review because it uses sensitive credentials and outbound messaging with weak scoping and confusing configuration.

Install only after reviewing all companion skills, replacing every Telegram ID and trigger value, and confirming the intended group and owner targets. Treat it as a credential-using automation that can send content to Telegram and OpenRouter; rotate credentials if these scripts have already run on a shared machine, and prefer a version that avoids plaintext /tmp secret files and adds explicit authorization checks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (23)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill declares no permissions, yet the documented behavior and associated findings indicate access to local files, network services, and shell-like capabilities. This creates a transparency and consent failure: operators may enable the skill believing it is a simple router while it can access credentials, contact external APIs, and manipulate local state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The declared purpose says this skill only routes messages, but the detected behavior includes reading sensitive config and credentials, calling external APIs, sending Telegram messages and images, and managing state files. That mismatch is dangerous because it hides privileged and externally communicating behavior behind an innocuous description, increasing the chance of unsafe installation and reducing meaningful review.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script reads a provider API key from the user's local configuration and makes a direct outbound request to OpenRouter to generate images, which is materially broader than the declared skill purpose of only routing @mentions to sub-skills. This mismatch is dangerous because users and reviewers may grant trust based on the routing-only description while the skill actually performs credentialed external actions and transmits user content off-host.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: A skill presented as a controller/router should not independently access stored credentials and invoke a remote model provider unless that capability is clearly justified and disclosed. Embedding this capability in the router increases the risk of covert data egress and unauthorized use of the user's paid API credentials under a misleading trust boundary.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill metadata says this skill is a group-message @mention router, but the script actually reads local credentials, loads local files, and invokes an external LLM service to generate prompts. This capability mismatch is dangerous because it expands trust far beyond the declared purpose, making operators more likely to authorize or deploy code that exfiltrates local content and uses networked model access unexpectedly.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The script reads an OpenRouter API key from a local credential store and uses it to call an external LLM, despite the stated skill purpose not justifying such access. In an agent environment, unjustified credential and network access materially increases the risk of secret misuse, unauthorized billing, and transmission of sensitive local data to third parties.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The script is described as a controller/router skill, but it directly reads content and sends it to Telegram using stored bot credentials. That creates an undisclosed data-exfiltration capability beyond the stated purpose, increasing the risk that sensitive design content is transmitted to an external party without appropriate authorization or review.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script pulls a Telegram bot token from a local credential store to perform outbound messaging, even though the skill's stated purpose does not justify that capability. Giving a routing skill access to messaging credentials broadens its privileges and increases the blast radius if the skill is abused or misconfigured.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script’s behavior is inconsistent with the declared skill purpose: instead of only routing group @mentions, it can send a private Telegram image message to an arbitrary target using locally stored bot credentials. This hidden outbound messaging capability expands the trust boundary and could be abused for covert data delivery or unauthorized direct contact.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script reads a bot token from a local credential store and uses it to message Telegram targets, even though that capability is not justified by the stated role of a group-message router. Undocumented access to sensitive credentials combined with outbound messaging increases the risk of misuse, data exfiltration, or sending messages outside expected workflows.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script reads a Telegram bot token from local configuration and uses it to perform outbound messaging, which materially expands the capability of a skill described as only routing based on mentions/state. In an agent-skill context, undeclared credential access and message transmission create a covert exfiltration and impersonation channel, especially because the token is also written in plaintext to a temporary file.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code performs direct HTTP requests to the Telegram Bot API to send arbitrary file contents to a chat, which exceeds the stated routing-only purpose of the skill. In practice, this mismatch makes the component more dangerous because a router is trusted infrastructure; adding network send capability enables unreviewed data egress and bot-driven message actions.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The activation condition appears to be any group message containing an @mention, with no documented constraints on allowed senders, chats, commands, or confirmation gates. In a Telegram group context, that broad trigger can let unintended users invoke workflow steps, spam external API usage, or interfere with task state simply by mentioning the bot.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill declares activation on group-message @mentions but does not define scope boundaries, allowed chat contexts, sender restrictions, or exclusion rules. In a group environment this can cause unintended triggering, routing of unrelated conversations into automation flows, and accidental processing of sensitive content from users who did not clearly intend to invoke the skill.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script silently extracts the OpenRouter API key from the user's configuration file without notifying the user at runtime. Even if used for legitimate functionality, undisclosed secret access violates least surprise and makes abuse harder to detect, especially in a skill whose metadata does not advertise credentialed external operations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The prompt is sent to an external HTTP API endpoint without an explicit warning that user-provided content leaves the local system. This creates a privacy and data-governance risk because prompts may contain sensitive internal information, and the deceptive skill context makes that transmission less likely to be expected by the user.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The API key is loaded from a local secret file and then embedded in a plaintext temporary JSON file under /tmp, creating an avoidable exposure window. Even with cleanup on exit, temporary plaintext storage can leak via crashes, race conditions, permissive temp-directory visibility, backups, or other local inspection paths.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script sends the contents of the supplied framework file and optional image file to an external API without any explicit user-facing notice or consent. Because these inputs are local files that may contain proprietary, sensitive, or personal information, undisclosed off-system transmission creates a real data-exposure risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The bot token is written in plaintext to a temporary file, which unnecessarily expands exposure of a sensitive secret on the local filesystem. Even with cleanup on exit, crashes, race conditions, permissive /tmp behavior, or local process inspection could expose the credential and enable unauthorized Telegram API use.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script sends message content to Telegram over the network without any user-facing disclosure or confirmation, which is risky when the content may include sensitive internal design information. In the context of a skill advertised as a router, silent third-party transmission is especially concerning because users and operators may not expect data to leave the system.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script silently reads a Telegram bot token from a local secrets file without disclosure or interactive consent, which means operators may not realize the skill is using privileged credentials. In an adversarial or misconfigured environment, this can enable unauthorized messaging and make credential misuse harder to detect.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This script transmits the contents of the provided message file to Telegram without any user-visible disclosure or confirmation within the script. In a skill ecosystem, silent outbound transfer is risky because the file may contain prompts, user data, secrets, or internal state that gets sent to an external service without informed consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script accesses a sensitive bot token from a local config and materializes it in plaintext JSON under /tmp, increasing exposure to local disclosure through process inspection, temporary-file races, permissive filesystem settings, backups, or crash artifacts. Because the token authorizes sending as the bot, compromise of this secret can enable unauthorized messaging, impersonation, and abuse of the Telegram integration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.