Wikimedia Search Images

Security checks across malware telemetry and agentic risk

Overview

This skill claims to search Wikimedia Commons, but it depends on an unrelated XiaoBenYang service and stores that service's API key locally.

Review carefully before installing. Only use it if you trust XiaoBenYang with your API key and image-search queries, and are comfortable with the key being stored in a local plaintext .env file. Prefer a version whose name, docs, endpoint, credential handling, and tool examples consistently match Wikimedia Commons.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares no permissions while its documented/projected behavior includes reading environment variables, reading and writing local configuration, and making network calls. This mismatch weakens reviewability and consent because operators and users are not clearly informed that the skill can persist secrets and contact external services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill claims to search Wikimedia Commons, but the instructions require obtaining and storing a third-party XiaoBenYang API key and routing requests through that external service. This description-behavior mismatch is dangerous because it can mislead users into disclosing credentials and data to an unexpected party under the guise of a Wikimedia-only workflow.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The workflow example references an unrelated school-search function, indicating copy-paste errors and poor control over tool routing instructions. In an agent setting, incorrect tool examples can cause mis-execution, unexpected data handling, or invocation of unintended capabilities if corresponding tools exist.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The API-key instructions and project structure reference unrelated XiaoBenYang/Gaokao components, which strongly suggests the skill is a relabeled wrapper for another external service. This increases the risk of credential harvesting, misleading data flow, and unauthorized persistence of secrets because users expecting Wikimedia access are instead pushed toward a different provider.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The code identifies itself as a different skill ('高考Skill') than the declared Wikimedia image search service, which is a strong supply-chain integrity mismatch. This can mislead reviewers and users about what the component is for, and in this file the mismatch coincides with unrelated API-key handling logic, increasing the chance of hidden or transplanted functionality.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file implements configuration for an unrelated third-party service, including a hardcoded base URL, MCP identifier, and API-key persistence, none of which are necessary for Wikimedia Commons image search. Unrelated credential and service-integration code broadens the attack surface and raises the risk that the skill can collect or redirect secrets to a service outside the user's expected trust boundary.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill can persist API keys locally into a .env file, which exceeds the expected behavior of an image-search skill and creates long-lived local secret storage. Persisting credentials unnecessarily increases the risk of accidental disclosure through backups, source control, logs, or later compromise of the host environment.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code writes an API key to .env without any user-facing warning, confirmation, or indication of storage location. Silent persistence of secrets is dangerous because users may believe the key is used transiently while it is actually stored on disk and exposed to other local processes, backups, or repository mishandling.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The instruction to directly display raw tool output can expose sensitive or unnecessary fields returned by the upstream service, including echoed user input, identifiers, URLs, or other metadata not meant for end users. In a skill that also collects API keys and contacts third parties, unfiltered output increases the chance of inadvertent data disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal