Xby Mingli

Security checks across malware telemetry and agentic risk

Overview

This fortune-analysis skill is mostly coherent, but it stores an API key locally and can transmit sensitive birth/profile details through a broadly scoped external API client without clear user-facing privacy controls.

Install only if you are comfortable giving this publisher an API key and sending birth details, gender, and possibly location to the xiaobenyang API. Treat the local .env file as sensitive, avoid using someone else's personal data without consent, and review or constrain the generic API helper before using it in a higher-trust environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Intent-Code Divergence

Medium

Confidence: 80% confidence
Finding: The project structure references a different 'gaokao/school search' skill, which indicates copy-paste drift between documentation and actual function. In security terms this can mislead reviewers and users about what code paths, APIs, or data handling behaviors are really present, increasing the risk that unsafe behavior goes unnoticed.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The client accepts a caller-supplied tool_name and forwards it directly to an external MCP endpoint, making this module a generic remote tool proxy rather than a narrowly scoped 命理 analysis service. In the context of an AI-accessible skill, this expands capability beyond the stated purpose and can enable unintended external actions or data flows if higher layers do not strictly constrain allowed tools.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The code forwards arbitrary tool invocation metadata and parameters to an upstream service without any local authorization or scope checks. Because the skill is presented as a fortune-analysis service, this mismatch increases the risk of confused-deputy behavior where users or agents can trigger broader remote functionality than expected.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: This module includes functionality to persist and manage an external API credential in a local .env file, which expands the skill's security footprint beyond simple命理分析 logic. While storing an API key is not inherently malicious, doing so silently and in a generic config helper creates unnecessary secret-handling risk, especially for a skill whose stated purpose does not imply credential lifecycle management.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The settings object is configured with the XBY_GAOKAO_ prefix, but the code manually reads and overrides a different variable name, XBY_APIKEY, from .env and the environment. This inconsistency can bypass expected configuration controls, confuse operators, and cause secrets to be loaded from unintended sources, increasing the risk of accidental credential exposure or misuse.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to ask for an API key and persist it locally via set_api_key(), but does not clearly warn the user that their credential will be stored. Users may disclose a secret without informed consent, and local persistence expands exposure if the host environment, logs, or config files are accessible to other processes or users.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill collects sensitive personal data such as birth date, time, gender, and possibly location coordinates, then sends them to an external API, but gives no privacy notice or consent flow. This is especially sensitive because such data can be used for profiling, re-identification, or inference about an individual's identity and habits, and users may not realize it leaves the local environment.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The function sends the full params payload to an external API endpoint, but there is no indication here of consent, minimization, or disclosure to users. If params contain sensitive personal details typical of 命理 services, this creates a privacy and data-handling risk through transmission to a third party.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The function writes the provided API key directly into .env and also exports it into the process environment without any user-facing warning, confirmation, or explanation of persistence. This can lead users to unknowingly store sensitive credentials on disk where they may be committed, backed up, or read by other local processes.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This function packages highly sensitive personal data—birth date/time, gender, and optional location coordinates—and sends it to an external API via call_api without any visible consent, notice, minimization, or privacy control in this file. Even if the transfer is core to the feature, undisclosed third-party transmission of personal/profile data creates privacy and compliance risk, especially because exact birth details and location can be sensitive in some jurisdictions and contexts.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: These additional fortune-analysis functions also transmit personal birth/profile data to an external service without any visible disclosure or consent handling in the wrapper code. Because the skill is specifically built around sensitive personal attributes, silent export to a remote endpoint increases privacy, trust, and regulatory exposure if users are unaware their data leaves the local tool context.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The instruction to directly present raw API data to the user encourages unfiltered disclosure of whatever the upstream service returns, including echoed credentials, sensitive personal attributes, internal identifiers, or verbose error/debug fields. Because this skill handles personal birth data and external API responses, the context makes raw passthrough more dangerous than in a low-sensitivity tool.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal