Security audit

Dingtalk Ai Web Search

Security checks across malware telemetry and agentic risk

Overview

This appears to be a web-search helper, but it needs review because it can run a local search script and persist MCP connection settings without clear user control.

Install only if you are comfortable with the skill running its local search helper and storing MCP connection settings for later use. Do not paste tokens, private server URLs, or full sensitive MCP configs unless you know where they will be saved and how to remove them. Prefer explicit invocation and review any saved configuration after setup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill invokes shell commands (`bash .../scripts/search.sh`) but does not declare any corresponding permissions, which creates a capability mismatch between what the skill advertises and what it actually does. This reduces transparency for reviewers and users, and can enable execution of local commands or access patterns that were not explicitly approved.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The description contains broad trigger phrases such as '搜一下', '帮我查', '查资料', and 'web search', which can overlap with common user language and cause the skill to activate unexpectedly. In a skill that executes shell commands and may prompt for or persist configuration, over-broad activation increases the chance of unintended execution and accidental handling of sensitive data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to permanently save user-provided MCP configuration JSON, including a server URL, without warning the user that the value will be stored persistently or may be sensitive. Persisting connection configuration can expose internal endpoints, tokens, or tenant-specific infrastructure details to future sessions, logs, or other components if storage is not tightly controlled.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.