Text Toolkit

Security checks across malware telemetry and agentic risk

Overview

This text toolkit is not clearly malicious, but it sends user text and HMAC secrets to a third-party API and stores the API key in a local .env file.

Install only if you are comfortable sending the text you transform, including code snippets, logs, documents, and HMAC keys, to the xiaobenyang remote API. Do not use it for secrets, proprietary data, personal data, or security-sensitive signing unless the publisher documents the service’s retention and handling guarantees and you are comfortable with the plaintext .env key storage.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (13)

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: Requiring an external API key for basic text formatting and routing all operations through API-calling scripts is a strong indicator that user inputs are sent off-box for tasks that should normally be local. In the context of a text utility, this greatly increases privacy and secret-handling risk because users may submit proprietary source code, tokens, or internal documents for transformation.

Description-Behavior Mismatch

High

Confidence: 91% confidence
Finding: The workflow references unrelated school-search/gaokao behavior inside a purported text utility, indicating copy-paste drift or hidden dual-purpose functionality. Such inconsistencies are security-relevant because they undermine trust in the documented interface and suggest the skill may invoke unintended remote endpoints or process data outside the advertised scope.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: Labeling the repository structure as a gaokao skill contradicts the claimed identity of a text transformation tool, which raises supply-chain and trust concerns about repurposed code. In security review, this kind of identity mismatch suggests the package may contain stale or unintended components, including external API logic not expected by users.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This file implements a generic remote API proxy rather than local text conversion logic: it accepts arbitrary tool names and parameter dictionaries, attaches an API key, and forwards them to an upstream endpoint. In the context of a skill advertised as a text transformation tool, this creates a capability mismatch that can expose user-supplied content to a remote service and enable unintended invocation of broader MCP functionality.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The client initializes reusable HTTP/HTTPS transport and is designed to contact an upstream service based on configuration, giving the skill outbound network reach beyond what a simple local text utility would require. In this context, hidden or unnecessary network access increases the risk of data exfiltration, misuse of privileged API credentials, and unexpected behavior if the configured endpoint or tool set is broader than intended.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The module stores an API credential in a local .env file and exposes helper functions to persist and retrieve it, even though the advertised skill is only for text conversion/formatting/analysis. Persisting secrets to a project-local plaintext file increases the chance of accidental disclosure through source control, backups, logs, or other tooling that reads workspace files.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This code performs local secret storage and mutates process environment variables, which is unrelated to the declared text-processing purpose and expands the skill's access to sensitive data handling. Even without obvious exfiltration in this file, unnecessary credential management increases attack surface and can enable later leakage via other components or debugging output.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill is described as a text conversion/formatting/analysis tool, but it also exposes UUID generation and cryptographic helpers such as MD5, SHA-1, SHA-256, SHA-512, and HMAC. This scope expansion increases the chance that users supply sensitive material or rely on security-relevant operations they did not expect from a text utility, especially because those operations are implemented through a remote API rather than obviously local code.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Nearly every function forwards user-supplied text to call_api, meaning a tool presented as basic text processing actually performs network transmission of arbitrary user content. That creates confidentiality and compliance risk because users may pass source code, secrets, personal data, or proprietary text expecting a local transformation, while the skill silently sends it to an external service.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code serializes and forwards arbitrary params directly to the upstream API without any disclosure, filtering, redaction, or consent mechanism in this file. For a text conversion skill, users may reasonably expect local handling of their input; silently transmitting arbitrary content to a remote service can leak sensitive text, credentials, or proprietary material.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code silently writes the API key into .env without any warning, disclosure, or consent mechanism. Users may reasonably assume a text utility does not persist credentials to disk, so this behavior can expose secrets unexpectedly through repository check-ins, shared folders, or endpoint compromise.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code sends the provided text argument to an external API without any warning in this file that user content leaves the local environment. For a text utility, this is dangerous because users are likely to paste sensitive code, credentials, logs, or personal data under the assumption that processing is local.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The generate_hmac function transmits both the text and the secret HMAC key to the external API. Sending credential-like secret material to a remote service materially increases the risk of secret exposure, misuse, retention, or compromise, and is especially inappropriate for an operation that should normally be performed locally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal