Back to skill

Security audit

Office Automation Toolkit

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a legitimate office-tool catalog, but its included bootstrap script can change the host and automatically bind messaging credentials without clear user control.

Review before installing. Use the skill as a reference catalog if needed, but run scripts/toolkit-bootstrap.sh only with --check-only first and preferably in a virtual environment or container. Do not allow automatic Feishu/lark-cli binding unless those Hermes credentials are intentional, least-privileged, and approved for the task; avoid saving reusable browser auth.json sessions for sensitive accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill advertises tool usage that implies network and shell-capable operations such as package installation, browser setup, and CLI invocation, but it does not declare corresponding permissions. That creates a transparency and governance gap: an agent may select or trust the skill as informational while it can actually drive environment-changing or networked actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The stated purpose is a harmless tool catalog, but the content includes operational instructions that can modify the host, download binaries, inspect environment configuration, and bind credentials via Hermes-backed lark-cli setup. This mismatch is dangerous because it can bypass user expectation and security review, leading an agent to perform package installs, credential-linked setup, or external downloads under the guise of simple discovery.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script's behavior materially exceeds the stated purpose of a passive 'tool registry/list' skill by performing package installation, invoking privileged package managers, probing platform credentials, and auto-binding lark-cli. In an agent-skill context, this mismatch is dangerous because users or orchestrators may trust it as informational while it changes system state and consumes available credentials.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script inspects messaging-platform environment variables and, when Feishu credentials are present, automatically attempts to bind lark-cli using those credentials. Reading and acting on ambient credentials is unjustified for a toolkit-listing skill and can lead to unintended account linkage, misuse of bot credentials, or disclosure of sensitive identifiers in logs.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The script performs pip, apt, yum, and brew installations despite the skill being described as a registry/list of available tools. In this context, executing network-backed package installs and system modifications can unexpectedly alter the host environment, introduce supply-chain risk, and cause privileged changes under the guise of simple enumeration.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The trigger phrases are broad enough to match common user requests about available tools or installation help, which increases the chance this skill is invoked in contexts the user did not intend. Because the skill references installation and configuration-capable tooling, overbroad invocation can steer agents toward unnecessary privileged actions or sensitive environment discovery.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The default execution path proceeds from detection into installation behavior without a strong, explicit confirmation gate describing package-manager, network, and privilege side effects. In an automation setting, that can cause users to run a script expecting a harmless check while it installs software or triggers follow-on configuration actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script reads sensitive environment variables and prints identifying values such as FEISHU_APP_ID and WECOM_CORP_ID to output without a privacy warning or masking. In CI, shared terminals, or captured logs, this can leak tenant/application identifiers and reveal which communication platforms are configured, aiding reconnaissance or violating privacy expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.