Sequentialthinking

Security checks across malware telemetry and agentic risk

Overview

This reasoning skill appears to require an unrelated external API key and stores it locally in plaintext, making its trust boundary unclear.

Review this carefully before installing. Use a throwaway or least-privilege API key if you proceed, assume prompts and reasoning inputs may be sent to the external XBY service, and avoid using it with secrets or sensitive user data until the publisher clarifies the backend, removes unrelated gaokao/Xiaobenyang drift, and makes credential storage explicit and secure.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The documentation for a 'sequential thinking' skill unexpectedly requires an external XBY_APIKEY and references a gaokao-related project structure, indicating copy-paste drift or hidden backend coupling inconsistent with the stated purpose. Such inconsistencies are risky because they can trick users into providing unrelated credentials and conceal where data is actually sent or how the skill operates.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The client accepts arbitrary mcp_id, tool_name, and params and forwards them upstream with no visible allowlist, validation, or authorization checks. In the context of a 'sequential thinking' service, this broader remote tool invocation surface can enable unintended actions, data exposure, or privilege expansion if untrusted callers can influence these fields.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: This module for a sequential-thinking service includes unrelated credential persistence logic for an external service, including reading and writing API secrets to a local .env file. That mismatch increases supply-chain and trust risk because a user installing a reasoning tool would not reasonably expect secret-management side effects, and the code creates a durable secret store that other local processes or later components may access.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code persists the provided API key into a plaintext .env file without any user-facing warning, consent flow, or security disclosure. Plaintext secret storage on disk can lead to credential exposure through local file reads, backups, repository commits, logs, or packaging artifacts, especially when users do not realize persistence is happening.

Natural-Language Policy Violations

Medium

Confidence: 97% confidence
Finding: The docstring explicitly instructs the tool to generate, verify, and iterate on chain-of-thought reasoning, culminating in a 'correct answer.' In an LLM-integrated skill, this encourages elicitation and external handling of internal reasoning traces, which can expose sensitive intermediate deliberation, conflict with safe response policies, and increase prompt-injection/manipulation risk because the skill frames CoT production as intended behavior.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The instruction to directly display `result["raw"]` to the user can expose sensitive backend response fields, including echoed prompts, internal identifiers, quota details, error traces, or even secrets returned by mistake from the remote service. In this skill's context, the danger is elevated because the tool collects API keys and forwards data to an external backend, so raw responses may contain more than should be user-visible.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal