Last30days Zh

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent recent-research aggregator, but users should understand that their topics may be sent to AISA and other public-data services.

Install only if you are comfortable sending research topics and public-result snippets to AISA and other enabled sources. Keep the AISA key scoped, store ./.last30days-data/config.env with restrictive permissions, and avoid enabling optional YouTube transcripts, auto-resolve, Xiaohongshu, Threads, or Pinterest unless you want those extra lookups.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill advertises and instructs use of shell, Python, network access, and likely local config/file interactions, but does not declare permissions accordingly. This creates a transparency and policy gap: hosts or users may invoke the skill without understanding its effective capabilities, increasing the risk of unintended file access, network egress, or command execution in a more privileged environment.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The code advertises one set of sources but conditionally enables additional sources such as Threads, Pinterest, and Xiaohongshu when configuration and requested inputs permit. This creates a capability/consent mismatch: a caller or reviewer relying on the manifest may not realize the skill can make outbound requests to extra third-party services, which can expose user queries to unintended destinations and bypass policy expectations.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The retrieval dispatcher contains live code paths that perform searches against Threads, Pinterest, and Xiaohongshu, confirming the undeclared-source behavior is not dead code. In a research aggregation skill, this is risky because user topics may be transmitted to external services the user did not expect, undermining transparency, auditability, and data-handling controls.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The resolver extends data collection beyond the skill's declared sources by actively discovering GitHub users and repositories. That creates a scope-expansion issue: users and downstream components may believe the skill only aggregates recent social/news/web results, while the code also profiles GitHub identities and repos, which can surprise users, alter data-handling expectations, and pull in unrelated sensitive attribution data.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The function documentation says the return value contains only subreddits, x_handle, context, and searches_run, but the actual code also returns github_user and github_repos. This contract mismatch is security-relevant because callers, reviewers, and policy checks may make trust decisions based on the documented schema and fail to account for extra collected identity data.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This module adds Xiaohongshu as a data source even though the declared skill source set lists Reddit, X/Twitter, YouTube, TikTok, Instagram, Hacker News, Polymarket, and web search, but not Xiaohongshu. That mismatch is a real security/governance issue because it expands external data access beyond what users, reviewers, or policy controls may expect, potentially bypassing source allowlists, compliance review, or regional/privacy restrictions.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The module directly requests youtube.com watch pages and caption tracks to obtain transcripts, which expands data collection beyond the declared AISA-hosted search path. This creates an undeclared external access path, with privacy/compliance and policy-boundary risks, especially because transcript enrichment can be enabled via config and then causes network access to a third-party service.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The file repeatedly claims an 'AISA-only' or 'runtime-disabled' design, yet `_fetch_transcript_direct` and `fetch_transcript` still perform live HTTP scraping against YouTube. This mismatch is dangerous because reviewers, operators, and policy controls may trust the documentation and approve behavior the code does not actually enforce, creating a deceptive security boundary failure.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The code logs both the extracted core query and the raw user topic string, which can expose sensitive user input to logs that may be retained, aggregated, or viewed by operators. In a research skill handling arbitrary user topics, raw queries may contain personal, confidential, or investigative information, so this creates an avoidable privacy leak.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The code sends the user's search topic directly to Polymarket's third-party Gamma API as the q parameter. Even though this is expected for the feature to work, it can expose potentially sensitive user research topics to an external service without any visible consent, minimization, or warning in this component; in a multi-source recent-research skill, users may enter confidential or identifying queries.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This code sends candidate titles, snippets, and extracted comment text from public internet content to an external LLM provider for scoring. Even if the source data is public, this creates a data-sharing boundary with a third party and may transmit user-derived queries, scraped content, or copyrighted/sensitive text without explicit disclosure, consent, or minimization controls.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code logs resolved subreddits, X handle, GitHub user, GitHub repositories, and context summary to stderr. Even if individually public, this derived profile can reveal inferred interests or identities tied to a user's query topic, and logs are often retained, aggregated, or exposed to operators without the user's knowledge.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal