Back to skill

Security audit

Formora Survey

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it manages Formora surveys, sharing, exports, and optional ad campaigns, but users should be careful with configured posting and ad credentials.

Install only if you want an agent to manage Formora surveys and potentially use your configured messaging or ad accounts. Keep paid ads disabled unless needed, leave paused creation enabled, review recipients and budgets before broadcast or ads-launch, use least-privilege API tokens, and avoid QR generation for sensitive links unless local QR support is installed or you accept the third-party QR fallback seeing the published survey URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tainted flow: 'ADS_STATE_PATH' from os.environ.get (line 50, credential/environment) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
def save_ads_state(state):
    ADS_STATE_PATH.parent.mkdir(parents=True, exist_ok=True)
    ADS_STATE_PATH.write_text(json.dumps(state, ensure_ascii=False, indent=2), encoding="utf-8")


def get_spend_summary(state, now=None):
Confidence
80% confidence
Finding
ADS_STATE_PATH.write_text(json.dumps(state, ensure_ascii=False, indent=2), encoding="utf-8")

Tainted flow: 'req' from os.environ.get (line 351, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
except Exception:
        qr_api = f"https://api.qrserver.com/v1/create-qr-code/?size=400x400&data={urllib.parse.quote(url)}"
        req = urllib.request.Request(qr_api, headers={"User-Agent": "Mozilla/5.0"})
        with urllib.request.urlopen(req) as resp, open(out_path, "wb") as f:
            f.write(resp.read())
        return out_path
Confidence
88% confidence
Finding
with urllib.request.urlopen(req) as resp, open(out_path, "wb") as f:

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The skill description promises preview-before-publish confirmation, but the documented CLI exposes a direct `publish` path that does not itself enforce a fresh confirmation gate, creating a workflow-integrity gap. In addition, response retrieval/export expands the skill's data-handling scope beyond the high-level description, which can lead users or policy layers to underestimate access to potentially sensitive survey responses and exports.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description promises that publishing always requires explicit user confirmation, but the publish command performs immediate publication with no interactive check. In agent contexts this mismatch is dangerous because downstream systems may rely on the documented safeguard and unintentionally publish surveys publicly.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The description claims ads are created paused by default, but that guarantee can be disabled via FORMORA_ADS_REQUIRE_PAUSED_CREATE, allowing campaigns to be created enabled. In an agent or automation environment, this can lead to unintended ad spend despite the advertised safety control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.