Back to skill

Security audit

Dingtalk Ai Web Search

Security checks across malware telemetry and agentic risk

Overview

This appears to be a web-search helper, but it needs review because it can run a local search script and persist MCP connection settings without clear user control.

Install only if you are comfortable with the skill running its local search helper and storing MCP connection settings for later use. Do not paste tokens, private server URLs, or full sensitive MCP configs unless you know where they will be saved and how to remove them. Prefer explicit invocation and review any saved configuration after setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill invokes shell commands (`bash .../scripts/search.sh`) but does not declare any corresponding permissions, which creates a capability mismatch between what the skill advertises and what it actually does. This reduces transparency for reviewers and users, and can enable execution of local commands or access patterns that were not explicitly approved.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The description contains broad trigger phrases such as '搜一下', '帮我查', '查资料', and 'web search', which can overlap with common user language and cause the skill to activate unexpectedly. In a skill that executes shell commands and may prompt for or persist configuration, over-broad activation increases the chance of unintended execution and accidental handling of sensitive data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to permanently save user-provided MCP configuration JSON, including a server URL, without warning the user that the value will be stored persistently or may be sensitive. Persisting connection configuration can expose internal endpoints, tokens, or tenant-specific infrastructure details to future sessions, logs, or other components if storage is not tightly controlled.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.