Xby Fetch

Security checks across malware telemetry and agentic risk

Overview

This skill appears to fetch web content, but it also collects and stores an API key and sends user URLs to a third-party service without enough clear disclosure.

Review before installing. Use it only for non-sensitive public URLs, avoid localhost, intranet, cloud metadata, or private document links, and treat the API key as a secret that may be saved in plaintext. Prefer a local fetch/conversion skill or one that clearly documents its third-party backend, URL restrictions, and credential storage behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill advertises no explicit permissions, yet its documented workflow requires reading environment variables, writing an API key to local configuration, and making outbound network requests. This creates hidden capability expansion: users and hosting systems may not realize the skill can access local secrets, persist sensitive data, and exfiltrate user-supplied URLs or credentials to external services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The documented behavior does not match the stated purpose: instead of a simple local HTML-to-Markdown fetcher, it reads and persists API credentials and forwards requests to a fixed remote endpoint. This mismatch is dangerous because users may trust the skill with sensitive URLs or credentials under false assumptions about local-only processing, enabling unexpected data disclosure to a third party.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The workflow includes unrelated gaokao-style API-key and school-search instructions inside a purported web-fetching skill, indicating copy-paste contamination or poor isolation between skills. Such inconsistent instructions increase the chance of misrouting user input, mishandling secrets, or invoking unintended tools, especially when the model is told to follow the workflow strictly.

Intent-Code Divergence

Medium

Confidence: 85% confidence
Finding: The tool-selection and structure sections contain contradictory or malformed instructions unrelated to the claimed feature set, which can confuse the agent into exposing capabilities or invoking the wrong backend behavior. In a security context, ambiguity around routing and tool usage raises the risk of unintended network requests, improper credential collection, or accidental disclosure of raw external content.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The module implements local API key persistence and retrieval even though the declared skill purpose is web content fetching/HTML-to-Markdown conversion. This mismatch expands the trust boundary and introduces unnecessary secret-handling behavior, increasing the chance of credential exposure through local files, source packaging, backups, or accidental disclosure.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: Persisting credentials to a local .env file is not directly justified by a simple webpage-fetching use case and creates an avoidable secret-retention risk. Any local user, process, backup system, or accidental repository inclusion could expose the stored API key.

Intent-Code Divergence

Low

Confidence: 96% confidence
Finding: The docstring contains agent-behavior instructions unrelated to the tool’s functional purpose and explicitly attempts to influence how the agent represents its capabilities. In a skill file, such hidden prompt-like guidance is a prompt-injection vector because it can override higher-level safety assumptions or mislead downstream systems about internet access and disclosure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill lacks a clear warning that user-provided URLs and fetched page contents may be transmitted to an external service and that arbitrary remote content will be retrieved. Without this disclosure, users may unknowingly submit internal, private, or sensitive URLs, creating SSRF-like privacy and data-leakage risk in the skill's operating context.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code stores an API key in a .env file without any visible warning, prompt, or disclosure to the user. Silent credential persistence is dangerous because users may not realize secrets are being written to disk, where they can be exposed through filesystem access, backups, or version control mistakes.

Missing User Warnings

Low

Confidence: 72% confidence
Finding: This function forwards a user-supplied URL directly to a network-fetching backend with no visible validation, restriction, or disclosure mechanism in the tool code. In a webpage fetching skill, this increases SSRF-style and privacy risks if internal, local, or sensitive URLs can be requested, especially because the skill context is explicitly about retrieving remote content on behalf of the agent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal