Back to skill

Security audit

知识库 Wiki 编译器

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Tencent IMA knowledge-base organizer that can make real knowledge-base changes, but its sensitive behavior is coherent with that purpose and includes confirmation and backup guidance.

Install only if you intend to let the agent work with Tencent IMA using your API credentials. Review proposed source lists, destination knowledge base IDs, note IDs, and tag changes before approving writes, and avoid running it on confidential or regulated content unless Tencent IMA, web search, and LLM processing are approved for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill is scoped as a knowledge-base/wiki compiler, but it explicitly instructs the agent to use general web search to gather additional materials. That expands behavior from organizing user-provided or existing KB content into autonomous external data acquisition, which can introduce untrusted content, privacy leakage through query transmission, and scope creep without a clear consent boundary.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill's stated purpose is wiki compilation and knowledge organization, but this file includes detailed procedures and runnable examples for destructive operations such as deleting notes and tags. Even though the document adds warnings and confirmation gates, exposing unnecessary destructive capabilities broadens the attack surface and increases the chance an agent will perform irreversible actions outside the intended scope.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases include broad everyday expressions like '建知识库', '整理资料库', and '按标签分类', increasing the chance the skill activates in ambiguous contexts. Accidental invocation matters here because the skill can perform write operations, move knowledge items, modify tags, and create notes, so false activation could lead to unintended changes in a user's knowledge base.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document instructs users to place API credentials in environment variables or local files and shows immediate use of those secrets in remote API calls, but it does not warn that the material will be transmitted to a third-party service or discuss safe handling of secrets. This can lead to accidental credential exposure, insecure operational practices, or unintentional transmission of sensitive data by users following the examples verbatim.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples include modifying and destructive operations such as moving knowledge items, altering tags, and deleting notes, but they lack explicit warnings that these actions can change or remove remote user data. In an automation context, this increases the chance of accidental data loss or unauthorized modification if operators treat the examples as safe defaults.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs operators to call remote APIs with exported credentials and to fetch note content via a returned URL, but it does not explicitly warn that sensitive note and knowledge-base data will be transmitted to external services and handled in shell pipelines. In a knowledge-base compilation skill, this increases the chance of unreviewed data exposure, especially if users run the commands on sensitive internal content without understanding the privacy implications.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The workflow tells users to write a new version and replace prior notes, which changes remote note state, but it does not clearly warn that this operation creates or modifies persistent records in the remote knowledge base. That omission can lead to unintended changes, duplicate content, or accidental overwrites during operational use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes concrete curl examples that use live API credential headers but does not warn that these values are sensitive secrets or instruct users to avoid logging, sharing, or hardcoding them. In an operational skill that compiles knowledge-base content via remote APIs, this increases the chance of credential leakage through shell history, screenshots, pasted commands, or debug output.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to retrieve and reuse permanent URLs for knowledge-base content without warning that these links may expose internal material beyond the intended access boundary or facilitate broader redistribution. In a wiki-compilation workflow, encouraging propagation of durable links can expand data exposure if the linked content is sensitive, access-controlled, or intended to remain inside the platform.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This workflow explicitly instructs the skill to perform network searches and then modify the knowledge base, but it does not require an explicit user warning or consent for external access and repository changes at the start of the flow. In an agent setting, this can lead to unexpected data egress, ingestion of untrusted external content, and unintended modifications to the user’s knowledge base.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases for tag review are broad enough that ordinary user requests like '整理标签' could invoke review or maintenance behavior without clear user intent. In a skill that can enumerate tags and potentially lead into destructive follow-up operations such as rename/delete, ambiguous activation increases the chance of unintended actions or data-management changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow instructs the system to send each article's content to an LLM for keyword extraction, but there is no user-facing notice or consent step about content being processed by a model or potentially transmitted to another service. Because this skill is for compiling knowledge bases from user materials, the content may include sensitive internal documents, making silent automated processing a privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs users to POST locally prepared note content to a remote Tencent IMA API using API credentials, but it does not clearly warn that the content will leave the local environment and be transmitted to an external service. In a knowledge-base compilation skill, source materials may contain sensitive internal documents, so omission of an explicit data-transfer warning can lead to unintended disclosure.

External Transmission

Medium
Category
Data Exfiltration
Content
-H "ima-openapi-apikey: $IMA_OPENAPI_APIKEY" | python3 -m json.tool

# 创建笔记本
curl -s -X POST "https://ima.qq.com/openapi/note/v1/create_notebook" \
  -H "ima-openapi-clientid: $IMA_OPENAPI_CLIENTID" \
  -H "ima-openapi-apikey: $IMA_OPENAPI_APIKEY" \
  -H "Content-Type: application/json" \
Confidence
87% confidence
Finding
curl -s -X POST "https://ima.qq.com/openapi/note/v1/create_notebook" \ -H "ima-openapi-clientid: $IMA_OPENAPI_CLIENTID" \ -H "ima-openapi-apikey: $IMA_OPENAPI_APIKEY" \ -H "Content-Type: applica

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.