Back to skill

Security audit

NBA数据服务

Security checks across malware telemetry and agentic risk

Overview

This NBA data skill appears functional, but it asks for an API key and persists it in a local .env file with incomplete handling guidance and several stale Gaokao copy-paste references.

Install only if you are comfortable giving this skill a XiaoBenYang API key, having that key stored in plaintext in a local .env file, and sending requests through mcp.xiaobenyang.com. Prefer a revised version that removes the Gaokao leftovers, avoids plaintext secret persistence, documents how to revoke/delete the key, and pins dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises no declared permissions, yet its documented behavior includes reading environment variables, writing files, and making network calls. This creates a transparency and trust problem: users and hosting platforms cannot accurately assess what the skill will access before execution, and the file-write capability is especially sensitive because it is used to persist credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is described as an NBA data service, but its behavior also includes collecting a user API key, persisting it to .env, mutating process environment state, and routing through a third-party aggregation service. This mismatch weakens informed consent and can mislead users about where their credentials go and what the skill actually does, increasing the risk of unintended secret exposure and trust abuse.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation includes an unrelated example call to 'search_schools', which conflicts with the NBA-only purpose. Such inconsistencies are dangerous in agent skills because they can indicate copy-paste errors, wrong tool routing, or hidden behavior, and they reduce confidence that the documented interface matches the real execution path.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The project structure references a gaokao skill directory name despite claiming to be an NBA service. While not directly exploitable on its own, this inconsistency is a supply-chain and maintainability red flag because it suggests repurposed code or documentation that may conceal incorrect dependencies, misrouted requests, or mishandled secrets.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill includes functionality to persist an API key into a local .env file, which is broader than a read-only NBA data service would normally require. Storing secrets on disk increases exposure through accidental commits, local disclosure, or reuse by unrelated components, especially when the manifest does not clearly justify credential persistence.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The configuration docstring identifies the code as a Gaokao skill while the manifest claims this is an NBA data service. This mismatch is a supply-chain trust issue: it suggests code reuse from an unrelated project, raises provenance concerns, and makes it harder to verify that the skill only performs the functions users expect.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to ask the user for an API key and store it, but does not explain retention, storage format, visibility, reuse, or who can access it later. Collecting secrets without clear handling guidance can lead to oversharing, insecure persistence, and users unknowingly providing credentials under false assumptions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code writes the API key to .env without any user-facing notice, confirmation, or opt-in. Silent secret persistence is dangerous because users may assume the key is transient while it remains on disk and can later be exposed through backups, file sharing, or source control mistakes.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly tells the agent to solicit and persist a user-provided API key, but does not require masking, redaction, least-retention, or limits on later disclosure. In an agent setting, this is dangerous because secrets may be echoed back, logged in transcripts, written to plaintext files, or reused outside the user's expectations.

Credential Access

High
Category
Privilege Escalation
Content
default_year: int = 2025

    def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
            for line in content.splitlines():
Confidence
88% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def save_api_key_to_env(api_key: str) -> bool:
    """将API key保存到.env文件"""
    try:
        env_path = Path(".env")
        lines = []
        if env_path.exists():
            lines = env_path.read_text(encoding="utf-8").splitlines()
Confidence
93% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def set_api_key(api_key: str) -> bool:
    """设置API key并持久化到.env"""
    if not api_key or not api_key.strip():
        return False
    api_key = api_key.strip()
Confidence
91% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
92% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests==2.31.0 — 3 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func)

Low
Category
Supply Chain
Confidence
96% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.1 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
89% confidence
Finding
python-dotenv==1.0.1

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.