Back to skill

Security audit

Huanling Skill Zhihu

Security checks across malware telemetry and agentic risk

Overview

This book-discussion skill is mostly coherent, but it asks for under-disclosed profiling and automatic voice-related environment changes that users should review before installing.

Review this skill carefully before installing. Its core literary assistant behavior is not malicious, but voice support may install a Python package and use a third-party TTS service despite local-only wording, and the onboarding/persona system asks about personal and emotional state. Install only if you are comfortable with those behaviors, avoid sharing sensitive information, and disable or skip voice setup unless the data flow is clarified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill instructs the agent to run a local script on every reply and to install a package automatically if it is missing. That expands a simple discussion persona into code execution and environment modification, creating an unnecessary attack surface and normalizing subprocess execution unrelated to the skill's core purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Automatically invoking pip install from skill logic allows the skill to modify the host environment without strong justification. This can introduce supply-chain risk, break reproducibility, and violate least-privilege expectations, especially for a content-focused skill that does not need runtime package management to fulfill its primary function.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The privacy section states that TTS is local-only and does not transmit user content to third parties, but edge-tts typically relies on remote Microsoft speech services rather than offline synthesis. This creates a material mismatch between user-facing privacy claims and actual data flow, which can expose user content without informed consent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The installation guide advertises capabilities such as voice reply, reader profiling, full-book embedding, interviews, and session management that go beyond the metadata's claimed 'strict boundary' of only discussing the book. A mismatch between declared scope and documented behavior is dangerous because users and platform reviewers may rely on the narrower manifest while the skill actually performs broader collection or interaction functions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The guide says the skill will guide the user through personal setup questions and then 'remember who you are,' which conflicts with the stated limited book-only interaction boundary. This creates risk of covert statefulness and profile retention beyond what a user would expect from a narrowly scoped book-discussion skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
'99 reader personas' implies profiling or classification of users, but the stated skill purpose is limited to discussing a book and related interviews. Unjustified profiling can lead to unnecessary collection or inference of personal attributes, especially when no transparency, consent, or limitations are described.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad everyday terms such as '边界' and '书中', which can cause accidental activation in unrelated conversations. Unintended invocation can expose users to profiling, boundary enforcement, or code-paths like voice setup that they did not intend to engage with.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup flow asks about reading status, relationship with AI, and current state, then states the skill will remember the user, but gives no notice about retention, storage scope, or handling of this conversational/profile data. In a quasi-personalized literary assistant context, users may disclose sensitive preferences or emotional state without realizing that these may be persisted.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill claims to remember who the user is, what they have read, and their current state after a guided exchange. Even if only session-scoped, this encourages retention and reuse of identity- and emotion-linked data beyond what is needed for answering book questions, increasing privacy and profiling risk.

Ssd 3

Medium
Confidence
94% confidence
Finding
The four-round onboarding explicitly collects reading status, AI usage patterns, emotional condition, and conversation motive, then writes them into session state for adaptive behavior. This is structured profiling of personal and affective data that exceeds what is necessary for a narrow book-discussion skill and could be misused if retained or surfaced unexpectedly.

Ssd 3

Medium
Confidence
95% confidence
Finding
The persona-matching workflow systematically extracts self-disclosure, emotional signals, and attitude toward AI to assign a reader profile and steer future responses. This is explicit behavioral profiling, and in context it increases the sensitivity of accidental invocation or privacy misrepresentation elsewhere in the skill.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.