Security audit

Csv2json

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as a CSV-to-JSON converter but sends CSV data and an API key to a third-party service and saves the key locally.

Install only if you intentionally want CSV file paths and CSV contents processed by the XiaoBenYang remote API and are comfortable storing an XBY API key in a local .env file. Do not use this for sensitive datasets unless the remote service, retention terms, and key handling are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (15)

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: A CSV conversion skill should not require a gaokao-related external API key to function, and the instructions appear copied from an unrelated service integration. This creates a strong risk of credential harvesting or unintended transmission of user data to an unrelated third party, made worse by the direct contradiction with the advertised purpose.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The workflow text and sample tool call reference school-search API behavior rather than CSV conversion, indicating the skill may execute unrelated remote actions under a misleading label. This makes the context more dangerous because the user expectation is file transformation, not educational-data API access or arbitrary external requests.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The return-value instructions tell the agent to directly display raw API data even though the documented CSV tools return structured conversion results, not generic raw payloads. This inconsistency can lead to accidental disclosure of sensitive or irrelevant data, especially if the underlying implementation includes tokens, file paths, metadata, or upstream error details.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The project structure mentions a gaokao skill and remote API client components, which conflicts with the claimed local CSV conversion purpose. This suggests the packaged skill may contain unrelated code paths or infrastructure that expand the attack surface beyond what users expect.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file implements a generic remote API invocation client that sends tool names, MCP identifiers, arbitrary parameters, and an API key to an upstream service, while the skill is ներկայացted as a local CSV-to-JSON converter. This functionality mismatch is dangerous because it can exfiltrate user-supplied data to a remote endpoint and materially expands the trust boundary beyond what a user would reasonably expect from the skill description.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: For a CSV-to-JSON conversion skill, a broad external network call primitive is unnecessary and creates a covert capability to transmit arbitrary caller-controlled content off-host. In this context, the lack of purpose limitation makes the code more dangerous because the advertised task can be completed locally, so the network path appears unjustified and increases the likelihood of hidden data exfiltration or remote command brokering.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The configuration module for a claimed CSV-to-JSON converter contains unrelated functionality for a different 'Gaokao' service and manages an external API key. This capability mismatch is dangerous because it expands the skill's trust boundary and may enable hidden credential collection or unintended outbound service access unrelated to the advertised purpose.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code explicitly reads and persists an API key in .env even though such credential management is not necessary for a local CSV-to-JSON converter. In this skill context, that behavior is suspicious and increases the risk of credential harvesting, accidental secret exposure, and unauthorized reuse of the key by other code on the same system.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The class docstring identifies the component as a '小笨羊高考Skill配置', directly contradicting the declared CSV-to-JSON functionality. Such provenance mismatch is a strong signal of repurposed or misleading code, which makes hidden behaviors more dangerous because users may grant trust based on false expectations.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The request sends arbitrary caller-supplied parameters together with an API key to an external service without any user-facing disclosure in this file. This creates a privacy and secret-handling risk because sensitive CSV contents or metadata may be transmitted unexpectedly, and users are not warned that their data leaves the local environment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The function stores the provided API key into a local .env file without any user-facing warning, consent flow, or disclosure of persistence. Silent secret persistence increases the chance of users unknowingly leaving credentials on disk where they may be exposed through source control, backups, logs, or local compromise.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The function sends local file-path-derived metadata to an external API via call_api, but this file provides no disclosure that user data may leave the local environment. In an MCP/tooling context, users may reasonably expect local file inspection to stay local, so silent transmission creates a privacy and trust boundary violation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Raw CSV content is forwarded to an external API without any explicit disclosure in the code-facing documentation, which can expose sensitive records, credentials, or personal data contained in CSV files. Because this tool is specifically designed to process user-provided datasets, silent exfiltration of full content is materially risky in this skill context.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs the agent to ask the user for an API key and persist it to local configuration. That creates a clear secret-retention risk: credentials may be stored insecurely, reused outside the user's expectations, or exposed through logs, backups, or later tool output.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The directive to directly show raw returned data bypasses any filtering or minimization step. In a skill already exhibiting purpose mismatch and remote API behavior, this raises the risk that secrets, personal data, internal errors, or backend metadata are exposed to the user or conversation history.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal