Back to skill

Security audit

Last30days

Security checks across malware telemetry and agentic risk

Overview

This is a coherent recent-research skill that uses expected web/social APIs and API keys, with some optional data-source and config-file behavior users should understand before installing.

Install only if you are comfortable sending research topics, profile targets, handles, and retrieved snippets to AISA and public-source APIs. Review any .claude/last30days.env files in the workspace or parent directories, set INCLUDE_SOURCES deliberately, and leave optional YouTube transcript enrichment off unless direct YouTube requests are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises executable behavior that uses environment variables, shell commands, file reads/writes, and network access, but it does not declare any permissions model to make those capabilities explicit. That creates a transparency and consent gap: a harness or user may invoke the skill without understanding that it can access secrets like AISA_API_KEY/GH_TOKEN, write config files, and make outbound requests to multiple services.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is presented as a research/briefing tool, but the CLI contains a separate setup flow that can initiate authentication, run device auth, and write configuration to disk. This creates a capability mismatch: a caller expecting passive research may unknowingly trigger credential-related side effects or local state changes, which is risky in agent/tooling environments where tool descriptions are relied on for trust and permission boundaries.

Description-Behavior Mismatch

Low
Confidence
78% confidence
Finding
The code can persist report findings into a local SQLite store even though the skill description focuses on returning a ranked brief. While this is not inherently malicious, it introduces undeclared data retention and local side effects, which can expose researched topics or gathered content beyond the immediate invocation.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The pipeline declares and supports additional sources such as Xiaohongshu, Threads, and Pinterest that are not disclosed in the skill metadata, which expands the skill’s effective data-collection surface beyond the user-visible contract. In an agent setting, this can cause users or orchestrators to authorize or route tasks under incomplete assumptions about which platforms may be queried, creating a scope-transparency and consent problem.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The available-sources logic can advertise undeclared platforms like Threads and Pinterest as available when credentials are present, even though the skill description does not mention them. This increases the chance that downstream planners or users will unknowingly use data sources outside the documented scope, weakening transparency and policy enforcement.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The retrieval dispatcher actively executes searches against undeclared platforms, not just passively listing them, which means user queries may be transmitted to external services outside the stated skill scope. Because this skill is specifically designed for broad recent-web and social research, hidden expansion to extra platforms materially increases privacy, compliance, and trust risks.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file adds a separate `score_fun` pathway that scores candidates for humor, cleverness, and virality, which is not aligned with the skill's stated purpose of recent research, evidence gathering, and ranked briefs with citations. In an agent setting, this undocumented capability can bias outputs toward entertaining or viral content over accurate, relevant evidence, creating scope creep and potentially unsafe downstream behavior if invoked implicitly or repurposed.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The prompt built in `_build_fun_prompt` explicitly instructs the model to judge items for humor, wit, and shareability and to prefer short punchy content over substantive analysis. For a skill intended to research the last 30 days and return grounded evidence, this introduces a conflicting optimization target that can skew selection toward memes, jokes, and viral posts instead of trustworthy signals.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The module adds a Xiaohongshu integration even though the declared skill description lists other platforms and grounded web search, but not Xiaohongshu. This creates a scope-expansion and transparency problem: operators and users may believe the skill only accesses declared sources, while it actually reaches an additional third-party platform and its login-backed API, which can undermine consent, review assumptions, and data-governance controls.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The module advertises an 'AISA-only' pipeline, but transcript enrichment can trigger direct outbound requests to YouTube watch pages and caption URLs via urllib. In an agent/runtime that relies on strict egress controls, this creates an undocumented network path that can bypass expected proxying, logging, policy enforcement, or tenant-level restrictions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code uses AISA-backed X/Twitter search and transmits topic, handles, and related-handle queries to an external provider using configured credentials, but this file contains no user-facing disclosure or consent boundary for that transmission. In a research skill that may process person/company profiling requests, silent third-party transmission can expose sensitive investigation targets, internal interests, or customer data to external services.

Credential Access

High
Category
Privilege Escalation
Content
"""
    cwd = Path.cwd()
    for parent in [cwd, *cwd.parents]:
        candidate = parent / '.claude' / 'last30days.env'
        if candidate.exists():
            return candidate
        # Stop at filesystem root or home
Confidence
70% confidence
Finding
.env'

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.