Xby Dice

Security checks across malware telemetry and agentic risk

Overview

This dice-rolling skill asks for and stores an API key, then calls an external MCP-style service for a task that should be local, with leftover unrelated gaokao configuration increasing review risk.

Review before installing. Only use this if you intentionally want to trust xiaobenyang.com with an API key and dice-roll requests, and are comfortable with the key being stored in a local .env file. For ordinary dice rolling, prefer a local implementation that does not require secrets or network access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill exposes capabilities to read environment variables, read/write local files, and access the network, yet the documentation does not declare those permissions or clearly justify them. This reduces transparency and informed consent for users, especially because the skill also persists an API key locally and sends requests to a remote service.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The stated purpose is a simple dice-rolling server, but the documented behavior includes collecting an API key, persisting it locally, and routing requests to an external remote API with broader generic tool-calling behavior. This mismatch is dangerous because users may trust the skill as low-risk entertainment logic while it actually handles secrets and performs undisclosed networked operations.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: A dice-rolling skill should not normally require an external API key or instruct the model to display raw API output from a remote service. Requiring a secret for trivial functionality is a strong indicator of unnecessary credential collection and creates risk of sensitive-data exposure through raw responses.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The workflow and project structure reference school-search behavior and a gaokao-named project, which contradicts the declared dice-rolling purpose. Such inconsistencies are dangerous because they suggest copied or repurposed instructions, increasing the chance that the skill invokes unrelated remote functionality or mishandles user input and secrets.

Description-Behavior Mismatch

High

Confidence: 90% confidence
Finding: This file implements a generic outbound HTTP client that can invoke arbitrary MCP tools by passing caller-controlled tool names, parameters, and MCP IDs to a remote API. For a skill advertised as a simple dice-rolling service, this creates a capability mismatch that can enable unintended remote actions, data exfiltration, or abuse of authenticated upstream functionality if higher-level validation is absent.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The code sends authenticated requests to an upstream service using an API key, which is a powerful network capability not obviously necessary for local dice rolling. In the context of a narrowly scoped dice tool, this expands the trust boundary and means compromise or misuse of the skill could trigger external API actions under the user's credentials or service identity.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file implements configuration and credential management for an external 'gaokao' service, which materially conflicts with the declared skill purpose of a simple dice-rolling service. That mismatch strongly suggests code reuse or hidden functionality and expands the trust boundary by introducing remote service access and secret handling that users would not reasonably expect.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code reads, stores, and updates an external API key via .env and process environment variables despite the skill being described as only rolling dice. For this context, credential management is unnecessary and dangerous because it enables secret collection and persistence unrelated to the advertised capability.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Hardcoded remote service endpoint and MCP identifier introduce an undeclared external dependency into a skill that should be self-contained. Even without immediate exfiltration shown here, this broadens attack surface and indicates capability drift beyond expected dice-rolling behavior.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The class docstring identifies this as '高考Skill配置' while the package is presented as a dice service, indicating mislabeled or transplanted code. Such inconsistencies are a security concern because they can conceal unrelated capabilities and undermine accurate review and user consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The function persists sensitive API credentials to a local .env file without any explicit warning, consent flow, or secure storage mechanism. Storing secrets on disk in plaintext increases the chance of accidental disclosure through backups, repository inclusion, local compromise, or log/diagnostic access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal