Security audit

Qanon

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real QAnon research API wrapper, but it asks for and stores an API key in a local .env file while carrying inconsistent copied Gaokao references that make the exact trust boundary harder to verify.

Install only if you trust the XiaoBenYang service and are comfortable storing an XBY_APIKEY in a plaintext .env file in the working directory. Use a limited-scope key if available, avoid entering sensitive personal queries, and review or remove the unrelated Gaokao references and generic API helper before using it in a higher-trust environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill advertises no explicit permissions while its documented behavior includes reading environment variables, writing files (.env), and calling external network services. That mismatch weakens user and platform trust boundaries because users may not realize the skill can persist secrets locally and exfiltrate data to a remote API.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented purpose is QAnon dataset access, but the workflow and project structure indicate a generic remote API wrapper with reused gaokao-related naming and secret-handling logic. This kind of description/behavior mismatch is dangerous because it can mislead users about what backend they are trusting, what data is stored, and where their inputs and credentials are actually sent.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The workflow examples reference an unrelated gaokao school-search skill, indicating copy-pasted or inconsistent instructions. Such inconsistencies increase the risk of misrouting user data, invoking unintended tools, or masking the true functionality of the skill.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: This code acts as a generic proxy to an external MCP endpoint by accepting arbitrary `tool_name`, `mcp_id`, and `params` and forwarding them upstream. That exceeds the stated purpose of providing QAnon dataset access for research and creates a confused-deputy risk where the skill can be used to invoke unintended external capabilities, potentially causing unauthorized data access or side effects outside the advertised scope.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The function retrieves an external API key and uses it to call a third-party service, introducing an undeclared external trust boundary and capability. In combination with arbitrary tool dispatch, this can let the skill spend privileged credentials on actions unrelated to the research use case or expose sensitive requests to an external operator.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The code adds credential persistence and mutation behavior by writing an API key into a local .env file and updating process environment state. That capability exceeds the stated dataset access and analysis purpose, increases the secret-handling footprint, and can expose credentials through local file compromise, backups, logs, or repository leakage.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: This function implements local secret storage without clear justification from the skill's described research-analysis function. Storing API keys in a project-local .env file broadens attack surface because other local users, tooling, backups, or accidental commits may expose the credential.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The docstrings and comments describe a different product context ('小笨羊高考Skill') than the declared QAnon analysis service, indicating code reuse, mismatch, or possible repurposing from another project. Such inconsistencies are a strong supply-chain red flag because they undermine trust in the skill's stated purpose and can conceal unrelated or unnecessary behaviors, including secret handling.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to collect an API key from the user and save it without clearly warning how it will be stored or protected. This creates a credential-handling risk because users may disclose sensitive secrets in chat without informed consent, and the secret may then be persisted insecurely.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The instruction to directly display reorganized raw API output lacks any warning or filtering step for sensitive, unexpected, or harmful content. If the upstream API returns credentials, personal data, or prompt-injection text, the agent may expose it directly to the user.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: This code sends both user-supplied parameters and an API credential to an external service without any visible user-consent, disclosure, or data-minimization controls in this component. For a research-focused skill, silent transmission of potentially sensitive query contents to a third party increases privacy and governance risk, especially if users believe the skill only accesses a local or bounded dataset.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The API key is written to .env with no visible user-facing disclosure or consent mechanism. Users may reasonably expect a temporary configuration action, but instead the credential becomes persistent on disk, increasing the chance of accidental disclosure through local access, backups, or source-control mistakes.

Ssd 3

Medium

Confidence: 90% confidence
Finding: Collecting an API key through natural-language chat and then continuing a workflow that also displays raw tool outputs creates an unsafe path for secret handling. Secrets entered in chat are easier to log, echo, or mishandle than values provided through dedicated secret-management channels.

Ssd 3

Medium

Confidence: 92% confidence
Finding: Directly reorganizing and presenting raw API response data without privacy or sensitivity filtering risks disclosure of confidential fields, harmful content, or prompt-injection strings embedded in remote responses. Because this skill is a thin wrapper over an external API, the trust boundary is especially important.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.