Running Formulas

Security checks across malware telemetry and agentic risk

Overview

This running-calculator skill is a disclosed remote API wrapper, but copied Gaokao artifacts, broad API forwarding, and raw API-key persistence make its scope and credential handling unclear.

Install only if you trust xiaobenyang.com with your API key and running/heart-rate inputs. Expect the key to be saved locally in plaintext .env, and review the copied Gaokao references and broad API helper before using it in sensitive environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The skill is described as a running-calculation service, but the documentation mandates collecting an external API key and contacting a third-party site. That is a material behavioral mismatch which can trick users into disclosing secrets to functionality that should not require them, especially because the listed features are ordinary deterministic calculations.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The workflow claims that code only calls APIs, while the tool list presents pure calculation functions such as VDOT, pace conversion, and race prediction. This contradiction obscures actual execution behavior and increases the risk that user inputs and secrets are unnecessarily transmitted off-platform under the guise of local calculations.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The documentation contains obvious cross-project inconsistencies, including a gaokao project path and a school-search function example inside a running calculator skill. That strongly suggests copy-pasted or mismatched instructions, which makes the skill less trustworthy and raises the possibility that unrelated code paths, APIs, or data handling behaviors are being exposed to users unintentionally.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The client exposes a generic outbound invocation path where both the target MCP identifier and the function name are caller-controlled, then forwards arbitrary JSON parameters to the upstream API. In a skill advertised as a running-calculation service, this broad proxy behavior increases the attack surface and can enable unauthorized access to unrelated upstream tools or abuse of the stored API key if higher-level access controls are missing.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The code sends a privileged API key along with a caller-supplied function name and MCP ID, effectively creating remote tool-execution capability beyond the stated purpose of pace, VDOT, and heart-rate calculations. Because no local policy limits which upstream functions may be called, any consumer of this wrapper may be able to reach broader backend capabilities than intended.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The configuration clearly targets a different domain than the declared running calculator skill: it uses a Gaokao-specific env prefix and metadata while exposing a remote MCP endpoint and API key flow. This mismatch is a strong supply-chain integrity signal because users expecting a local calculator may unknowingly load code intended for another service and disclose credentials to an unrelated backend.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: A running calculator generally does not need a hard-coded remote base URL, MCP identifier, and API-key handling unless this is explicitly disclosed. In context, these settings expand the trust boundary and create a risk of silent data transmission or credential use against an external service inconsistent with user expectations.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code persists API credentials into a local .env file even though the skill is presented as a running calculator. Storing credentials locally without clear necessity or disclosure increases the chance of accidental exposure through backups, source control, multi-user systems, or other local processes.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The docstring states the settings are for a Gaokao skill, directly contradicting the manifested running calculator service. This kind of provenance mismatch is dangerous because it suggests code reuse from an unrelated project or deceptive packaging, making it harder for reviewers to trust what data the skill accesses or where it sends it.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The file presents itself as a running calculation service but actually sends all user-supplied inputs to an external API via call_api. This creates a real trust-boundary and data-exposure issue: users and integrators may assume calculations are local, while potentially sensitive health/performance data is transmitted off-box without any visibility here into endpoint security, validation, logging, or retention.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The function writes an API key into .env without any warning, consent flow, or disclosure to the user. Silent secret persistence is risky because users may assume the key is only used transiently, while the code leaves long-lived credentials on disk where they may be exposed later.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal