Currency And Oil

Security checks across malware telemetry and agentic risk

Overview

This skill appears to provide currency and oil-price lookups, but it has confusing service identity drift and persists a user API key to a plaintext .env file.

Install only if you are comfortable giving this skill a xiaobenyang API key and having it stored in a local plaintext .env file. Review or rewrite the documentation and config first so the backend, credential handling, and tool examples consistently match the currency/oil purpose.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares no permissions while its documented behavior clearly requires environment access, local file read/write, and network access. This mismatch weakens transparency and policy enforcement, making it harder for reviewers and users to understand the real capability and trust boundary of the skill.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill claims to be a narrow Zenrus currency/oil service, but the documentation also describes credential storage in .env files and a generic upstream API-calling pattern tied to a different provider. This description-behavior mismatch is dangerous because it obscures actual data flows and backend dependencies, increasing the risk of credential misuse, unintended exfiltration, or users granting trust under false assumptions.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The documentation for a currency/oil skill contains unrelated gaokao and school-search workflow content, indicating copy-paste drift or an incorrectly repurposed skill. Such inconsistency is a security risk because it undermines reviewer confidence in what code paths, data sources, and tool invocations are actually intended, making hidden or accidental unsafe behavior more likely.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The workflow explicitly instructs calling an unrelated school-search function even though the listed tools are for exchange rates and oil prices. This contradiction can cause incorrect tool routing or invocation of unintended functions, which is particularly risky in agent systems where documentation drives model behavior.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The documented project structure refers to a different skill domain, suggesting the package may have been copied from another project without a full review. This raises the risk that operators or models will trust incorrect assumptions about included modules, data handling, or callable functionality.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file’s behavior and naming are for a gaokao-related service (`XBY_GAOKAO_`, `xiaobenyang.com`, `XBY_APIKEY`) rather than the declared currency/oil-price skill. This kind of capability/identity mismatch is dangerous because it can mislead reviewers and users into granting secrets to an unrelated backend, increasing the risk of credential exfiltration or unauthorized data flow.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The comment claims the code 'forces' reading from `.env`, but the implementation separately parses `.env` for `XBY_APIKEY` while also using a different Pydantic env prefix and then overriding from the process environment. This inconsistency can cause operators to misunderstand where secrets come from, weakening auditability and making it easier to inject or substitute credentials unexpectedly.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the model to ask the user for an API key and store it locally, but provides no safeguards around secure entry, storage, redaction, rotation, or scope limitation. Credentials handled this way can be exposed through logs, files, debug output, or later misuse by unrelated workflows.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: `save_api_key_to_env` persists the API key to `.env` automatically, with no user-facing warning, confirmation, or security controls. Storing long-lived credentials in plaintext on disk can expose them to other local users, accidental commits, backups, or logs, especially in agent/skill environments where users may not expect persistence.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill instructs the model to request, store, and reuse a user-provided API key in plain operational language, creating a clear sensitive-data handling risk. In an agent context, this is more dangerous because the model may relay, persist, or expose the secret across tool calls, files, or transcripts beyond the user's expectation.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The skill tells the model to directly present raw API response data to the user, which can leak unintended fields if the upstream response contains tokens, identifiers, debugging metadata, or other sensitive content. This is riskier here because the upstream service boundary is already poorly documented, so reviewers cannot safely assume the response schema is minimal.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal