Meme Collector 热梗收集器

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it collects meme entries and writes new documents to a user-specified Dify knowledge base, with credential and proxy handling risks users should manage carefully.

Install only if you want an agent to add documents to the selected Dify dataset. Use a least-privileged Dify API key, avoid untrusted proxies, quote or safely pass command arguments, and review the generated meme JSON before upload if the knowledge base is production or customer-facing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill directs the agent to write new content into an external Dify knowledge base but does not prominently warn that it will modify persistent third-party data. In this context, that is dangerous because users may believe they are only gathering information, while the skill can permanently change a production knowledge repository.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill requires an API key and proxy details for outbound API operations but gives no guidance on secure credential handling, storage, redaction, or logging. This increases the risk of credential leakage through prompts, transcripts, shell history, temporary files, or misconfigured tooling, which could lead to unauthorized access to the knowledge base.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal