自媒体文案生成器

Security checks across malware telemetry and agentic risk

Overview

This looks like a real social-media copywriting skill, but it embeds a third-party LLM API key and does not clearly tell users when their prompts could be sent outside the local tool.

Review the code before installing. Do not use this with confidential prompts unless the DashScope path is removed or clearly gated behind user consent, and the embedded API key should be revoked, rotated, and replaced with user-provided environment configuration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill declares no permissions, yet the documented behavior and associated static analysis indicate capabilities for file writing and external network access. This is dangerous because users and hosting platforms cannot make an informed trust decision, and the undeclared network/file capabilities increase the risk of silent data exfiltration or unexpected file system modifications.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The stated purpose is local copy generation, but the actual behavior reportedly sends user-provided content to an external LLM service and uses a hardcoded third-party API key. This is dangerous because it creates undisclosed third-party data exposure, expands the attack surface through outbound requests, and hardcoded credentials can be extracted and abused by anyone with access to the skill package.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The generator sends user-supplied prompts and content to an external DashScope service, but the skill description does not clearly disclose that third-party data transfer occurs. This creates a real privacy and data-handling risk because users may submit sensitive business, marketing, or personal content under the assumption processing is local.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: A hardcoded API key is embedded directly in source code, which is a clear secret-management vulnerability. Anyone with access to the repository, package, logs, or distributed artifact can extract and abuse the credential, leading to unauthorized API usage, billing fraud, or account compromise.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The devlog states that the skill sends prompts to an external DashScope endpoint and uses an existing API key, but it does not mention any user-facing disclosure, consent, or data-handling warning. In a content-generation skill, users may provide sensitive business ideas, drafts, customer details, or personal data, so silent transmission to a third-party LLM service creates a real privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The LLM request includes user-controlled fields such as topic, keywords, tone, and target audience, and sends them to a remote API without clear notice or consent flow. This is a genuine security/privacy issue because users may unknowingly disclose proprietary campaign plans, personal data, or sensitive business material to a third party.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The design includes automatic filling based on historical preferences and retention of generation history, but it provides no notice, consent flow, retention limits, or explanation of how that data is stored and used. In a content-generation tool, this can expose sensitive business plans, campaign content, product details, or personal profile information through unnecessary collection or long-term storage.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The design proposes platform API integration, effect tracking, and optimization based on historical data without warning users that their content or analytics may be sent to external platforms or third-party services. This creates privacy and compliance risk because users may unknowingly transmit proprietary marketing material, account-linked metrics, or behavioral data outside the application boundary.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The requirements describe collecting and learning from user preferences, historical high-quality copy, competitor analysis, and tracking content performance through platform API integrations, but they do not specify user notice, consent, data minimization, retention, or privacy controls. This can lead to undisclosed profiling and over-collection of behavioral data, creating privacy, compliance, and trust risks if implemented as written.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The development plan explicitly includes local storage of generation history, which may contain user-provided prompts, brand terms, or unpublished marketing content, but it does not mention consent, retention limits, visibility, or deletion controls. In a content-generation skill, stored history can expose sensitive business drafts or personal data to other local users or through later compromise, making this a real privacy weakness even if not an active exploit primitive.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The plan proposes hot-topic API integration and feedback interfaces, which can result in user data, prompts, generated content, or usage telemetry being sent to external services, yet there is no mention of disclosure, consent, minimization, or third-party privacy review. Because this skill handles user-created marketing content that may include confidential campaign material or account strategy, undisclosed outbound transmission increases privacy and data-handling risk.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger patterns are very broad and could activate on generic user requests such as any request mentioning articles or copywriting. Over-broad invocation increases the chance the skill is selected outside its intended context, which can expose user content to this skill unexpectedly and cause unauthorized or confusing behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal