Back to skill

Security audit

AnnData数据检索工具

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed AnnData API wrapper, with cautions around local API-key storage and some copy-paste documentation errors.

Install only if you trust the XiaoBenYang API service with your AnnData query parameters and API key. Prefer using an environment variable or platform secret store instead of leaving the key in a project .env file, and review the documentation mismatch before relying on the examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises no declared permissions, yet its documented workflow clearly relies on environment access, file read/write, and network operations. This mismatch weakens transparency and consent boundaries: a user or platform may authorize the skill believing it is low-privilege when it can actually read local AnnData files, store secrets, and contact remote services.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The workflow example instructs the model to call a gaokao school-search function inside a skill presented as an AnnData retrieval tool. This inconsistency is dangerous because it can misroute user requests, cause the agent to invoke unintended tooling, and is a classic indicator of copy-paste drift that can conceal broader logic or data-handling mistakes.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The project structure references a gaokao skill directory while the document claims to describe an AnnData tool. Although lower severity than an incorrect executable example, this discrepancy undermines provenance and trust, and may indicate the skill package was repurposed without fully updating implementation details.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This skill includes logic to persist, mutate, and retrieve API credentials even though the declared purpose is AnnData information retrieval. Expanding a data-retrieval skill to manage local secrets increases the attack surface and creates an unnecessary capability that could expose credentials through local files, later prompts, or other components.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Writing the API key into a local .env file is a persistence mechanism unrelated to the stated retrieval-only behavior. Stored plaintext secrets are vulnerable to accidental disclosure via source control, backups, logs, workspace inspection, or access by other local processes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code silently stores an API key in .env without any visible confirmation, warning, or explanation of persistence behavior. Users may reasonably assume the key is used transiently, so silent persistence increases the chance of unintentionally leaving sensitive credentials behind on disk.

Credential Access

High
Category
Privilege Escalation
Content
default_year: int = 2025

    def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
Confidence
91% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
            for line in content.splitlines():
Confidence
91% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def save_api_key_to_env(api_key: str) -> bool:
    """将API key保存到.env文件"""
    try:
        env_path = Path(".env")
        lines = []
        if env_path.exists():
            lines = env_path.read_text(encoding="utf-8").splitlines()
Confidence
95% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def set_api_key(api_key: str) -> bool:
    """设置API key并持久化到.env"""
    if not api_key or not api_key.strip():
        return False
    api_key = api_key.strip()
Confidence
95% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests==2.31.0 — 3 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func)

Low
Category
Supply Chain
Confidence
91% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.1 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
88% confidence
Finding
python-dotenv==1.0.1

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.