Back to skill

Security audit

JustFix

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed JustFix quote-and-booking-link integration with some broad activation guidance, but no hidden execution, credential use, automatic purchase, or destructive behavior was found.

Install only if you are comfortable with your agent sending UK trades job descriptions to JustFix's public MCP service. Configure triggers narrowly, especially in Cursor, and disclose to users that booking links go to JustFix and include a unique attribution ID before they click through.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The example expands the skill from quote/estimate requests into general service discovery, which can cause the agent to invoke or advertise the skill outside its declared scope. In an agentic system, this kind of scope drift is dangerous because it increases unintended activation and may route users into a commercial booking flow when they only asked for informational help.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that each estimate is tagged with a unique booking-link tracking identifier for attribution, but it does not clearly disclose to end users what data is tracked, who receives it, or how it is used. In a skill that generates tappable booking URLs, this creates a meaningful privacy and transparency issue because users may click links believing they are neutral booking links when they actually embed attribution/tracking metadata.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list is broad enough that an agent may invoke this skill for generic repair or booking requests without strong user intent to use JustFix specifically. In a tool-enabled agent, that can cause unintended disclosure of user job details to a third-party MCP service and steer users into an external booking flow they did not explicitly request.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The skill states that booking URLs contain a unique `chatgpt_booking_link_id` for attribution, but the user-facing rendering instructions do not clearly disclose that the link is trackable or unique to the conversation. This creates a transparency and privacy issue because users may click a tagged link without understanding that it is used to attribute MCP-driven bookings.

Vague Triggers

Low
Confidence
84% confidence
Finding
The listed variations are broad enough to trigger the skill for vague discovery questions rather than clear quote-seeking intent. This weak intent boundary can cause over-triggering, unnecessary tool use, and user redirection into pricing or booking flows that were not explicitly requested.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The installation guidance explicitly recommends marking the rule as "always active" or using very broad trigger terms like "quote, estimate, price, trades, plumbing, electrical." In Cursor, this can cause the skill to be invoked in unrelated conversations, increasing the chance that user prompts or project content are unnecessarily sent to the JustFix MCP and that the assistant produces pricing/booking behavior outside the intended context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.