Zulk Short URL Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Zu.lk URL-shortener integration, but it can access and change organization links, analytics, and membership after OAuth sign-in.

Install only if you trust Zu.lk with the links, organization metadata, member information, and analytics you ask the agent to handle. Use the intended Google/Zu.lk account, prefer the direct HTTPS MCP configuration, and require explicit confirmation before changing link destinations, adding or removing members, or granting ADMIN/OWNER roles.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to connect to a remote MCP service that can access organization lists, member data, links, and analytics, but it does not clearly warn that these potentially sensitive business records will be exposed to a third-party service once authenticated. This increases the risk of uninformed consent, oversharing of internal organizational data, and accidental disclosure of membership or campaign analytics through the agent workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal