Back to skill

Security audit

ds160-autofill

Security checks across malware telemetry and agentic risk

Overview

This skill matches its DS-160 autofill purpose, but it handles sensitive visa and recovery information with weak privacy controls and should be reviewed carefully before use.

Install only if you are comfortable letting an agent process highly sensitive visa information. Use fake data for testing, review every page before continuing, do not rely on the generated security answers, avoid sending personal fields or screenshots to external AI tools unless you explicitly accept that disclosure, keep the workspace private, and delete or protect ds160-user-info.csv and ds160-session.json after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The function randomizes only the choice among a small set of hard-coded security questions and equally hard-coded answers, which makes recovery credentials predictable and reusable. In the DS-160 context, these answers protect access to a sensitive visa application session, so anyone who can infer or inspect the code or saved session data may be able to regain access.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs sending DS-160 field values, including potentially highly sensitive visa and personal information, to an LLM for translation without requiring explicit user consent, minimization, or disclosure of third-party processing. That can expose PII, passport/travel/employment details, and other regulated personal data to external systems beyond the primary task boundary.

Missing User Warnings

High
Confidence
97% confidence
Finding
Sending page snapshots or HTML from an in-progress DS-160 session to an LLM can leak full application contents, hidden fields, identifiers, and recovery data. Because snapshots may contain far more information than the single missing element, this creates unnecessary overexposure of sensitive immigration data to external processing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill directs captcha screenshots to an image/LLM tool without warning the user that images from a live government application session may be processed externally. Even if the captcha itself is the target, screenshots can include surrounding UI, identifiers, or other contextual data, and automated captcha solving may violate site expectations or controls.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This file defines a complete automation map for filling a DS-160 visa application and enumerates extensive highly sensitive personal data fields, including passport details, national ID, SSN, family relationships, travel history, employment, social media, and security/background answers. Even though it is only a schema/reference file, embedding this breadth of data collection guidance without privacy warning, minimization guidance, or handling constraints materially increases the risk that an agent or integrator will collect, store, or process regulated personal data insecurely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The usage notes explicitly instruct automating field population, state changes, and final button clicks, including submission behavior, but provide no requirement for explicit user review or confirmation before advancing or submitting a government form. In this context, silent automation can cause accidental submission of inaccurate legal statements, expose sensitive information, or complete a high-stakes workflow without meaningful user awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists DS-160 session data, including application ID, security question, and security answer, to a predictable local file path without any warning, consent flow, or evident access control. Because this skill handles highly sensitive immigration data, local plaintext persistence materially increases exposure to other local users, malware, backups, or accidental disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function writes visa form CSV content to disk in the workspace without warning the user that their full DS-160 personal data may be retained locally. In this skill's context, the CSV can contain extensive personally identifiable and immigration-related information, so plaintext storage meaningfully raises the risk of privacy breach, unauthorized reuse, and long-term data retention beyond user expectations.

Ssd 3

Medium
Confidence
93% confidence
Finding
The workflow tells the agent to repeatedly report the Application ID and initially disclose the security question and answer back to the user. Repetition of account/session recovery material increases the chance of accidental exposure through logs, transcripts, screen sharing, or compromise of the chat history.

Ssd 3

High
Confidence
99% confidence
Finding
The instruction to include the security question and answer in every report is a clear sensitive-data exposure issue. These values function as recovery secrets for the application, so repeatedly printing them materially increases the risk of unauthorized resume/access if transcripts or logs are exposed.

Ssd 3

Medium
Confidence
96% confidence
Finding
The example output normalizes disclosure of the full application ID and full security answer in plain text, which encourages insecure implementation and operator behavior. Such examples often get copied directly into production prompts and reporting flows, amplifying the likelihood of sensitive data leakage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.