Mathematical Visualization

Security checks across malware telemetry and agentic risk

Overview

This appears to be a remote math-visualization skill, but it asks for and persists an API key while containing copied or inconsistent instructions that should be reviewed before use.

Install only if you are comfortable sending visualization requests and parameters to XiaoBenYang's remote API and storing an XBY_APIKEY in a local .env file. Review or fix the stale gaokao references and broken tools.py before relying on it in a sensitive environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

High

Confidence: 89% confidence
Finding: The manifest presents a math visualization service, but the skill routes to unrelated economics, structural engineering, and logo-design tools. This broadens the functional scope beyond what a user would reasonably expect, which weakens informed consent and makes abuse or accidental misuse harder to detect.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The workflow and project-structure sections contain contradictory references to gaokao school-search APIs and tools, suggesting copy-pasted instructions from a different skill. Such inconsistencies are dangerous because they can cause the agent to invoke the wrong functions, collect inappropriate user data, or route requests to unintended services.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The API-key and external API workflow reveals that the skill is not self-contained visualization logic but a wrapper around a remote service. When a skill masks remote processing behind a local-tool description, users may unknowingly send prompts, parameters, or secrets to a third party they did not intend to trust.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This configuration file is inconsistent with the declared math-visualization skill and instead contains logic for a different service ('高考') plus persistent API credential handling. In a skill supply-chain context, unrelated credential-management code is dangerous because it expands the trust boundary, may cause users to provide secrets the skill should not need, and can enable hidden exfiltration or lateral access to another backend.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill description says it provides math visualization, but this file reads, stores, and exposes an external API key from both .env and process environment. That mismatch makes the behavior suspicious and unsafe: users or operators may unknowingly grant credentials to functionality outside the advertised purpose, increasing risk of secret misuse or unauthorized backend access.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The class docstring identifies a different skill than the manifest, which is a strong indicator of copied, mislabeled, or repurposed code. In security review, such provenance mismatches matter because they often accompany hidden functionality, incorrect trust assumptions, and secrets or endpoints intended for another system.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code persists a provided API key directly into a local .env file and updates the process environment without any warning, consent flow, or disclosure to the user. Persisting secrets this way can leave credentials readable by other local users, accidentally committed to source control, or exposed through logs, backups, and support bundles.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Nearly every tool forwards user-supplied inputs to an external API via call_api, yet this file provides no user-facing notice, consent mechanism, or data-minimization guardrails. In a tutoring/visualization context, prompts may contain sensitive student, proprietary, or research data, so silent transmission creates a real privacy and compliance risk even if the destination API is trusted.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill instructs the model to ask for a user API key, save it locally, and reuse it later. Persisting secrets through natural-language workflow without a clear secure storage model or explicit consent increases the risk of credential theft, accidental disclosure, cross-session leakage, or use outside the user's intent.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The workflow mandates credential collection and storage before any operation, normalizing secret capture as part of routine interaction. This is especially risky because the same skill also performs outbound network calls, so the captured credential may be exposed to a broader execution path than the user expects.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The instructions tell the model to directly present raw API data to the user. Returning unfiltered raw responses can expose internal fields, error traces, identifiers, or unexpected content from the upstream service, and it reduces the opportunity to sanitize or minimize sensitive data before display.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal