Back to skill

Security audit

anjuke-skill

Security checks across malware telemetry and agentic risk

Overview

This skill matches its Anjuke automation purpose, but it stores passwords and identity-check details in skill files and can publish or edit real-estate listings without clear approval gates.

Use the Review bucket. Before installing, remove instructions that save passwords, names, or ID fragments into skill files; use interactive login, a platform session, or an approved secret store instead. Add explicit review and confirmation before publishing, transferring internal listing data to Anjuke, or saving live listing edits, and require generated listing descriptions to use only verified property and seller information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to collect the user's Anjuke account password and persist it into a sub-skill document for future reuse. Persistently storing plaintext credentials is unnecessary for the stated business goal of automated listing operations and materially increases the risk of credential disclosure, reuse, and unauthorized account access if the skill files, logs, or downstream tooling are exposed.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill directs the agent to persist a user's real name and the last six digits of their national ID inside the skill document for future reuse. This creates unnecessary long-term storage of sensitive identity data beyond the immediate login session, increasing the risk of privacy violations, unauthorized reuse, and credential/identity compromise if the document is exposed or reused in other contexts.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to add story-like details such as years of familiarity with the community, owner motivations, renovation specifics, and prior buyer interactions, while later requiring that content remain truthful and based on existing listing data. In an automation context, this contradiction can lead the agent to generate persuasive but unverified claims, creating deceptive real-estate listings and potential compliance, fraud, or consumer-protection risk.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document says the agent should not fabricate owner motivation, but then suggests using reasons gathered from other agents' past cases or general experience and making them detailed to seem real. That creates a strong incentive for the model to insert plausible-sounding but unverified personal circumstances, which is misleading and may expose the operator to legal and reputational harm.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill instructs the agent to request the user's account password and store it for later use without any warning, consent language, or secure handling boundary. In context, this is especially dangerous because the skill is designed for end-to-end account automation, making ongoing access to a real estate platform account possible if the stored credentials are leaked or misused.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs the agent to save sensitive identity data without informing the user that the data will be retained for future sessions or explaining the privacy implications. Silent persistence of government identity data undermines informed consent and can expose users to account takeover, identity fraud, or regulatory noncompliance if that information is later leaked or misused.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The invocation guidance is overly broad: any user who provides an internal listing link can trigger publication to an external platform, without documented checks for authorization, ownership, data classification, or explicit confirmation. In a skill that automates end-to-end real-estate operations, weak trigger constraints increase the chance of accidental or unauthorized external publication of internal business data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill describes pushing housing data from an internal network to Anjuke but provides no warning that this transfers internal data to an external platform. This omission is dangerous because users may unknowingly expose sensitive listing details, unpublished inventory, personal information, or regulated data through an automated workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to access an internal housing system, retrieve listing information, and push that data into Anjuke, but it provides no user-facing consent step, no data-classification checks, and no guardrails around operational side effects. In an automation context, this can cause unauthorized cross-system data transfer, accidental publication of internal or incorrect listings, and business-impacting actions without explicit approval.

Ssd 3

High
Confidence
99% confidence
Finding
Storing the user's account and password in a sub-skill document creates persistent sensitive data at rest inside prompt/config artifacts that may be accessible to other components, operators, or future runs. Because this skill automates login and subsequent account actions, compromise of those stored credentials could enable full unauthorized control over the user's Anjuke account and related listings.

Ssd 3

High
Confidence
99% confidence
Finding
The skill combines collection of identity-verification information with explicit instructions to write that data back into the skill document for later reuse. In the context of an account automation skill, this is especially dangerous because the document becomes a persistent repository of reusable PII that could be accessed by future runs, other users, or unintended tooling, enabling identity misuse and expanding the blast radius of any compromise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.