Back to skill

Security audit

Risha.ai Content Generation

Security checks across malware telemetry and agentic risk

Overview

This Risha.ai skill mostly matches its stated purpose, but it exposes session credentials in a helper command and can spend account credits or persist account-specific catalog data.

Install only if you trust this publisher and need an agent to operate your Risha.ai account. Avoid running the login subcommand unless it is fixed or you can protect/redact logs, confirm credit estimates before generation, and do not refresh catalogs into shared or committed directories if they reveal account-specific capabilities.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to use environment variables for credentials, read and write local files, and make authenticated network calls, but it does not declare any permissions. This creates a transparency and policy-enforcement gap: an operator may invoke the skill without realizing it can access secrets, persist API data locally, and send authenticated requests to an external service.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The login command prints the full login response, a derived bearer authorization header, and captured cookies directly to stdout. In CLI and agent contexts, stdout is commonly logged, persisted in transcripts, or exposed to downstream tools, so this creates a direct credential disclosure path that can enable account/session takeover.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The reference recommends commands that write live API-derived data into repository reference files without an explicit warning, consent step, or guidance to use a safe temporary/output location. In an agent skill context, this can cause unintended workspace modification, accidental committing of sensitive tenant-specific capability data, or contamination of checked-in documentation with live account data.

Missing User Warnings

High
Confidence
99% confidence
Finding
This code emits highly sensitive authentication material without masking or warning, including session cookies and a usable Authorization header. In an authenticated agent skill, such output is especially dangerous because logs and tool outputs may be visible to users, operators, or other components, turning a routine login into secret exfiltration.

Ssd 1

Medium
Confidence
88% confidence
Finding
The dialect choices for the script writer are not simple locale identifiers; they embed large hidden prompt payloads with behavioral rules, lexical preferences, and explicit instructions to rewrite user text. This creates prompt-injection-like behavior where selecting a dialect can materially override user intent, alter tone/content, or introduce hidden system behavior that downstream callers may not realize they are activating.

Ssd 1

Medium
Confidence
93% confidence
Finding
The TTS dialect selector writes full behavioral instructions into `system_instruction` instead of passing a constrained dialect value. Because `system_instruction` is a high-authority control channel, this design lets a nominal UI choice inject expansive hidden directives that can change wording, persona, pacing, lexical choices, and output behavior beyond mere accent selection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.