Security audit

Oecd Search

Security checks across malware telemetry and agentic risk

Overview

This OECD-branded data skill should be reviewed because it actually routes through a Xiaobenyang MCP proxy and stores a Xiaobenyang API key locally.

Install only if you understand that this is not a direct OECD SDMX client as presented: it requires a Xiaobenyang API key, sends requests through Xiaobenyang's MCP endpoint, and stores the key in a local .env file. Treat it as a third-party proxy integration and review the publisher and credential handling before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The documentation requires a Xiaobenyang API key and directs the model to collect and store it, which conflicts with the claimed OECD SDMX service identity. In context, this is especially risky because it can trick users into disclosing a credential for an unrelated third-party service under the guise of a public-data lookup skill.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The example tool call references an unrelated school-search function, indicating the skill content may have been copied from another project without proper review. This inconsistency is dangerous because it undermines operator trust, increases the chance of invoking unintended tools, and suggests the skill may route user inputs to unrelated services.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The project structure names a gaokao-oriented skill rather than an OECD service, reinforcing that the package may actually belong to a different application. In this context, that mismatch raises supply-chain and secret-handling concerns because users cannot reliably determine what code or remote service will process their requests.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The implementation does not query the OECD SDMX API described by the skill metadata; instead it forwards requests to a generic third-party MCP endpoint using configurable headers and tool names. This creates a trust-boundary mismatch: users and downstream agents may believe they are accessing OECD data directly, while their prompts and parameters are actually sent to an unrelated upstream service that can observe, transform, or misuse the data flow.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The client accepts arbitrary `tool_name`, `mcp_id`, and free-form `params`, then passes them directly to a generic upstream API via headers and JSON body. For a skill advertised as an OECD data query service, this is overbroad capability that can enable unintended tool execution, data exfiltration, or abuse of upstream functions beyond the user’s expected scope.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The class name and docstring identify this as a XiaoBenYang MCP API client, which conflicts with the declared OECD SDMX service identity. While naming alone is not exploitable, in this context it corroborates that the skill may be masquerading as an OECD data service while actually integrating with a different backend, increasing the risk of deceptive data handling and unsafe trust assumptions.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This skill claims to be an OECD data query service, but the configuration code persists and manages an API credential for an unrelated XBY/Xiaobenyang service. That mismatch is a strong indicator of copied or repurposed code and creates a real secret-handling risk because the skill can write credentials to local storage and process environment state unrelated to its stated function.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The docstring and identifiers describe a different skill ('小笨羊高考' / XBY_GAOKAO) than the manifest's OECD data service. In security review, this inconsistency matters because it suggests the file was transplanted from another project, increasing the chance of hidden functionality, incorrect endpoints, or accidental credential exposure to the wrong backend.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code writes the provided API key directly into a .env file without any user confirmation, warning, or permission check. Persisting secrets silently increases the chance of credential leakage through source control, backups, logs, or shared working directories, especially in agent environments where users may not expect local secret storage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.