Back to skill

Security audit

"dataify-google-play-store-reviews-by-url"

Security checks across malware telemetry and agentic risk

Overview

This skill builds a user-directed Dataify curl request and its credential and outbound API behavior are disclosed and aligned with that purpose.

Install only if you intend to use Dataify's scraper API. Treat DATAIFY_API_TOKEN as a secret, avoid putting it in synced dotfiles or shared-machine profiles, review the generated curl command before running it, and avoid sending sensitive URLs or identifiers as scraper parameters unless necessary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly expects access to environment variables, local files, and shell command generation/execution, yet it declares no explicit permissions or trust boundary. This creates hidden capability exposure: a user or platform may not realize the skill can read secrets, inspect local files, and produce executable commands that use those secrets.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to persistently place a bearer token into shell profile files such as .bashrc and .zshrc without discussing the security tradeoffs. Long-lived tokens in startup files are easier to leak through backups, dotfile sync, shoulder surfing, local compromise, or accidental sharing, and they remain available to many future sessions and tools.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells the user to create and run a curl request that sends both user-provided data and a bearer token to an external service, but it does not warn that this is outbound transmission to a third party. In a security-sensitive assistant context, failing to disclose external data flow increases the chance of unintentional secret or sensitive-data exposure.

External Transmission

Medium
Category
Data Exfiltration
Content
---
name: "dataify-google-play-store-reviews-by-url"
description: "Prepare Dataify builder requests for the play.google.com scraper family rooted at google-play-store_reviews_by-url. Use  when needs to work with the successful Dataify scraper detail entry for google-play-store_reviews_by-url, let the user choose one of its available tools, read saved getToolParams options, and generate a scraperapi.dataify.com/builder curl request with DATAIFY_API_TOKEN."
---

# Dataify Builder Skill
Confidence
92% confidence
Finding
curl request with DATAIFY_API_TOKEN." --- # Dataify Builder Skill Use this skill to prepare Dataify builder requests for the scraper family rooted at `google-play-store_reviews_by-url` on `play.goog

External Transmission

Medium
Category
Data Exfiltration
Content
---
name: "dataify-google-play-store-reviews-by-url"
description: "为 play.google.com 上以 google-play-store_reviews_by-url 为根的 scraper 系列准备 Dataify builder 请求。当需要处理成功的 Dataify scraper detail 条目 google-play-store_reviews_by-url、让用户选择可用工具、读取已保存的 getToolParams 选项,并使用 DATAIFY_API_TOKEN 生成 scraperapi.dataify.com/builder curl 请求时,使用此 skill。"
---

# Dataify Builder Skill 中文版
Confidence
90% confidence
Finding
curl 请求时,使用此 skill。" --- # Dataify Builder Skill 中文版 这个 skill 用于为 `play.google.com` 下、以 `google-play-store_reviews_by-url` 为入口的 Dataify scraper 工具族生成 builder 请求。 ## 工作流程 1. 先检查环境变量中是否存在 `DATAIFY_A

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.