Security audit

ninebot-skill

Security checks across malware telemetry and agentic risk

Overview

This is a small instruction-only Ninebot helper with disclosed vehicle diagnostics and configuration guidance, but users should be careful with reset or speed-related settings.

Install only if you want an assistant to help with Ninebot diagnostics or configuration. Treat factory reset, speed limits, and other parameter changes as high-impact actions: confirm them explicitly, use them only while the vehicle is safely parked, and back up important settings before firmware or reset operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill exposes potentially destructive operations such as parameter changes and factory reset without clearly warning about data loss, safety implications, or operational preconditions. In a vehicle/device-control context, users could unintentionally erase configuration, alter speed-related settings, or put the device into an unsafe state, making this more serious than a generic settings skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal