last30days

Security checks across malware telemetry and agentic risk

Overview

The core research tool is coherent, but the package includes under-disclosed watchlist storage, webhook notifications, and local-service integrations that deserve manual review before install.

Install only if you are comfortable with an AISA-backed research tool that sends queries and snippets to external services. Review or avoid the watchlist features unless you want local retention of topics/findings, and do not configure delivery webhooks with sensitive research topics unless the destination is trusted. Avoid requesting the Xiaohongshu source unless you intentionally run and trust the local service it contacts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (17)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares only allowed tools but does not present an explicit permissions model despite clearly requiring shell execution, network access, environment secrets, and file read/write behavior. In an agent setting, this under-disclosure is dangerous because users and orchestrators may invoke the skill without understanding that it can access API keys, modify local files, and perform outbound requests.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose is recent-data aggregation, but the behavior reportedly includes persistent SQLite storage, watchlists, scheduled/batch runs, local archival, webhook/Slack notifications, runtime auth/config probing, judge/evaluation flows, and additional data sources not disclosed in the main description. This mismatch materially increases risk because a user expecting a one-shot research skill may unknowingly trigger persistence, broader data collection, external notifications, or credential-related discovery behavior.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill is presented as a recent-research aggregation tool, but the CLI also accepts a special 'setup' mode that triggers external-service onboarding and authentication flows. In an agent context, this expands the capability boundary beyond passive research into account-affecting operations, which can lead to unintended auth prompts, token acquisition, or configuration changes if invoked by a user or downstream tool unexpectedly.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The code dispatches to setup_wizard functions for OpenClaw, GitHub, and device authentication based solely on CLI arguments when the topic is 'setup'. Those workflows are not necessary for core recent-research behavior, and in an agent environment they create a privilege/intent mismatch where a research tool can initiate authentication side effects, exposing users to credential capture risk, consent bypass, or unintended persistent configuration updates.

Context-Inappropriate Capability

Medium

Confidence: 73% confidence
Finding: The Xiaohongshu integration performs network calls to a configurable base URL and defaults to http://host.docker.internal:18060, which can reach services on the host from a container. In a skill whose declared scope does not mention this source, that hidden integration expands the network attack surface and could be abused for unintended local service interaction or data access if enabled.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The code exposes additional data sources (Threads, Pinterest, Xiaohongshu) that are not disclosed in the skill metadata, so a caller may trigger collection from platforms they did not consent to or expect. In a research aggregation skill, hidden source expansion changes the trust boundary and can cause unintended network access, policy violations, or collection of data from services with different compliance expectations.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The dispatcher can execute live searches against Threads, Pinterest, and Xiaohongshu even though the manifest does not declare them, confirming that the undocumented capability is not dead code. That makes the mismatch operational: users and reviewers may believe only the listed platforms are contacted while the skill can reach additional third-party services and send query terms to them.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The function accepts from_date and to_date but ignores them, instead hard-coding broad recency buckets of 1 day, 1 week, or 6 months. In a skill explicitly marketed as 'last 30 days' research, this can silently return stale or out-of-policy data, undermining user trust and any downstream decisions or automations that assume strict date bounds.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The watchlist manager includes configurable outbound webhook delivery unrelated to the core research aggregation function, enabling automatic transmission of topic names and activity counts to external endpoints. In this skill context, topics may reveal sensitive business interests, monitored persons, or internal investigations, so silent exfiltration to arbitrary HTTPS URLs meaningfully increases privacy and data-leak risk.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The planner appends `context` from web search directly into the prompt sent to the external reasoning provider, which can expose third-party or user-derived data to another service without any explicit minimization, redaction, or disclosure at this layer. In a social-research skill that aggregates recent web and platform content, this increases the chance of forwarding sensitive, proprietary, or policy-restricted material to the model provider.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The code sends topic text and scraped candidate content to an external LLM provider via generate_json without any visible in-code consent, disclosure, or data-minimization control. In a research aggregation skill, topics and snippets may include sensitive user interests, proprietary research targets, or personal data from scraped content, creating privacy, compliance, and third-party data exposure risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The fun-scoring path sends candidate text plus extracted comments to an external LLM, increasing exposure because comments may contain personal data, abusive content, or other uncontrolled third-party text. This is more dangerous in this skill because the feature is not essential to the stated research purpose, so it broadens external data sharing for a non-core function.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This test script transmits the assembled planner prompt and any user-supplied `--context` to a live external AISA chat-completions endpoint. Because the context may contain web-resolved or user-provided sensitive data and the script provides no consent gate, redaction, or warning, it creates a real data-exposure risk if operators use it with non-public content.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The script silently switches from mock to live execution when AISA_API_KEY is present, which can trigger unexpected outbound requests to hosted services during verification. In a skill that aggregates recent social/web data, this increases the chance of accidental network access, data egress, cost incurrence, and environment-dependent behavior without an explicit opt-in.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Webhook calls send research update metadata to external URLs without any user-facing warning at the point of execution, making data egress easy to miss once configured. In a monitoring skill, even minimal metadata like topic names, timestamps, and finding counts can expose strategic interests or ongoing investigations to third parties.

External Transmission

Medium

Category: Data Exfiltration
Content: if not requests: raise RuntimeError("requests library not available for webhook delivery") response = requests.post( url, json={"text": text}, headers={"Content-Type": "application/json"},
Confidence: 92% confidence
Finding: requests.post( url, json=

External Transmission

Medium

Category: Data Exfiltration
Content: if not requests: raise RuntimeError("requests library not available for webhook delivery") response = requests.post( url, json={ "message": text,
Confidence: 93% confidence
Finding: requests.post( url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal