follow-nowcoder

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs its stated NowCoder interview-report task, but it disables HTTPS certificate checks during normal searches and has broad local prompt/config file writes that users should review before installing.

Install only if you are comfortable with the skill contacting NowCoder, saving preferences under your home directory, and writing report data locally. Prefer using an isolated Python environment, and remove or fix the TLS verification bypass before relying on the results for private searches or important decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill exercises file read/write, network access, and environment-dependent CLI execution without declaring permissions. This reduces transparency and weakens least-privilege controls, making it harder for a host system or reviewer to understand what the skill can access before it runs.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The declared purpose is narrow—searching Nowcoder interview posts and generating reports—but the instructions also allow local configuration mutation, prompt template modification, local file persistence, dependency installation, and potentially unsafe network behavior such as disabling HTTPS verification. This mismatch can mislead users into granting trust to a skill that performs broader and more sensitive actions than advertised.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The report-preparation path writes collected search results and generated prompt/context data to a predictable local file under .claude/temp/report_data.json. In an agent environment, persisting scraped interview content and derived prompts to disk can unintentionally expose potentially sensitive user/task data to other local processes, later sessions, or logs, especially because this side effect is broader than the user-visible action of 'prepare report'.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The comment is misleading because certificate warnings are disabled globally, not just in a debug-only code path. This increases the chance that insecure transport settings remain enabled in production and hides evidence of TLS misconfiguration from operators.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The implementation goes beyond compatibility tuning and fully disables hostname and certificate validation in the custom SSL context. That permits man-in-the-middle interception of HTTPS traffic and defeats the main security guarantees of TLS.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The onboarding flow instructs the agent to immediately fetch external content and generate a report without clearly notifying the user that network retrieval will occur right away. Automatic external access can surprise users, consume resources, and expose their interests or search terms to third-party services without meaningful consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This code silently writes collected data to a local JSON file without any user-facing disclosure in the command flow. Even if the content is not highly sensitive by design, scraped post details and generated prompts may contain personal, proprietary, or task-specific information, so undisclosed persistence increases privacy and data-retention risk in the agent context.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Disabling certificate validation without disclosure causes users to believe their queries and retrieved content are protected by HTTPS when they are not. An active network attacker could intercept, modify, or spoof responses from the remote service.

Missing User Warnings

High

Confidence: 100% confidence
Finding: Search requests send user-supplied query terms over HTTPS with verify=False, so sensitive interview-preparation topics or company names may be exposed or altered by a man-in-the-middle attacker. Because this skill is explicitly built to search external content on behalf of users, the unsafe default directly affects normal usage.

Missing User Warnings

High

Confidence: 100% confidence
Finding: Feed detail retrieval disables certificate validation while fetching remote page content, allowing an attacker to inject fake or manipulated interview content into the generated report. In this skill context, untrusted remote content is later consumed and summarized, so tampering can mislead users and poison downstream outputs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal