Back to skill

Security audit

IELTS Reading Review 雅思阅读复盘

Security checks across malware telemetry and agentic risk

Overview

This IELTS review skill has a real study workflow, but it also installs auto-update hooks, stores long-lived tokens in shell files, scans broad local folders, and includes remote deployment/telemetry tooling that users should review carefully.

Install only if you trust the publisher and want the web-sync workflow. Before using it, review the auto-update hook, disable or remove telemetry if undesired, avoid running author-mode SSH deployment on non-author machines, prefer a dedicated low-privilege website account, and understand that review JSON, answers, timing, and a long-lived token may be stored locally and sent to www.liuxue.online.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill declares no permissions while instructing use of environment variables, local file writes, shell commands, SSH, and network requests. This undermines any permission or user-consent model and increases the chance that a seemingly harmless review skill performs powerful local and remote actions without clear authorization boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented purpose is IELTS review, but the skill also includes self-update behavior, credential acquisition/storage, broad local scanning, deployment workflows, and other operational capabilities beyond that purpose. Description-behavior mismatch is dangerous because users may grant trust for an educational workflow while the skill performs sensitive system and credential operations they did not reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The auto-discovery flow directs scanning broad user locations such as Documents, Desktop, Downloads, iCloud, and other directories to find review materials. That exceeds least-privilege for a review skill and can expose unrelated private files and metadata during discovery, especially because scanning is the default recommendation.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The onboarding instructions tell the agent to extract an authentication token from browser localStorage and persist it in shell startup files. This is a credential-handling workflow unrelated to simple review analysis and materially increases the risk of token theft, reuse, leakage into logs, or compromise through shell configuration exposure.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The hook executes a local Node.js script and, on a matching output string, invokes it again with an auto-update flag that can modify the installed skill. That behavior exceeds the stated purpose of an IELTS review skill and creates a code-execution and self-modifying update path triggered during normal skill use, which increases supply-chain and integrity risk if the update script or local skill directory is tampered with.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This hook runs a local shell script automatically on prompt submission whenever broad IELTS-related terms are detected. Executing shell code is not necessary for reviewing reading passages, and tying it to normal user prompts creates an implicit code-execution path that could modify files, fetch remote content, or change the skill without explicit user consent.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The onboarding document describes behaviors beyond the stated skill scope, including cross-skill operation, account syncing, and a browser-based authorization flow. This expands the effective trust boundary and can mislead users about what the skill will access or perform, increasing the risk of overprivileged use and unsafe consent.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The claim that the token 'never leaves your computer' is inaccurate because the token must be generated or delivered through the website and browser callback flow. Misrepresenting credential flow can cause users to underestimate exposure and trust the process without understanding where tokens transit or who can access them.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script performs an unsolicited outbound POST to an external endpoint whenever a PDF is generated, which is unrelated to the core IELTS review function and creates hidden network behavior. Even though the payload is limited to event, version, and timestamp, it still leaks usage metadata to a third party and normalizes undeclared telemetry inside a local file-processing tool; in context, the loaded HTML may also trigger additional network requests during rendering because page.goto waits for network activity to settle.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script provisions a browser-based authorization flow, receives a user token on a local callback server, validates it remotely, and then persists that token in the user's shell startup file. For a reading-review skill, this is broader and more persistent access than necessary, and storing long-lived credentials in plaintext shell rc files increases the risk of credential theft by local users, malware, backups, or accidental disclosure.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This script provisions Cloudflare infrastructure and deploys a Worker, which materially expands the skill's capabilities beyond simple IELTS review generation and the stated saveReview workflow. In an agent-skill context, hidden or weakly justified deployment behavior increases the risk of unauthorized external services being created, telemetry endpoints being introduced, and user data being sent to infrastructure the user did not explicitly approve.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The presence of Cloudflare Worker deployment capability is not well aligned with the described purpose of reviewing IELTS reading passages, creating a functionality mismatch. That mismatch is dangerous because it can conceal external networking, data collection, or persistence features under an educational skill, reducing transparency and making abuse or over-collection harder for users to detect.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This worker adds telemetry collection and a public statistics service that are outside the stated review/scoring/import functionality of the skill, creating undisclosed data flows and infrastructure. Even if the payload is limited to event, version, and timestamp, hidden analytics expand the attack surface, create a privacy/trust concern, and may violate least-privilege expectations for a user-facing educational skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code exposes cross-origin GET/POST access with Access-Control-Allow-Origin: * to both telemetry ingestion and stats retrieval endpoints, allowing any website to trigger event writes and read published analytics from a browser. In this skill context, analytics are not part of the core IELTS review function, so the open CORS design makes the unexplained side service more dangerous by enabling abuse, data pollution, and unauthorized visibility into usage patterns.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README encourages uploading generated JSON to a remote web system but does not prominently warn users that study records, answers, timing, and other review content will leave the local device. This weakens informed consent and can lead to unintended disclosure of personal learning data, especially given earlier offline-first messaging that may lower user suspicion about network transmission.

Vague Triggers

High
Confidence
89% confidence
Finding
The trigger phrases are extremely broad and include common terms like score, band, progress, batch import, and auto scan. Overbroad triggers increase the chance of accidental activation of a skill that performs network calls, file scanning, and deployment actions, causing unintended data handling.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill says any IELTS-reading-related material must trigger the full closed-loop workflow, even for simple checking requests. This removes user choice and can escalate benign requests into storage, upload, and database actions without meaningful consent.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill recommends automatically scanning common directories across the computer without a prominent up-front privacy warning or explicit consent for local file access. Because the scan targets broad personal locations, it can reveal unrelated filenames, folder structures, and study materials beyond the user's intended upload set.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The token extraction steps do not clearly communicate that the localStorage token is a sensitive authentication secret that can grant long-term account access. Users may unknowingly expose or persist a powerful bearer token in insecure locations because the instructions normalize handling it like ordinary configuration.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The hook performs code execution and reads local metadata/files as part of an automatic update flow without prior user warning or consent in the execution path. In this skill context, that is risky because users invoking an IELTS review capability would not reasonably expect local code execution that can alter installed components, making silent changes and trust-boundary violations more dangerous.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The matcher is broad and includes generic terms such as 'IELTS', '复盘', and pattern matches like '剑[0-9]', so ordinary conversation can trigger the hook unexpectedly. Because the trigger leads directly to shell-script execution, overbroad matching increases the chance of unintended execution and expands the attack surface for any downstream update mechanism.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manual fallback instructs users to extract a long-lived token from browser localStorage and paste it into a terminal, but does not provide a strong warning about credential sensitivity. This normalizes unsafe secret handling and increases the chance of token disclosure through shell history, screen sharing, logs, or shoulder surfing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script's default behavior enables auto-discovery when no directory is provided, scanning common personal locations such as Documents, Desktop, Downloads, and iCloud and then emitting discovered directory information and sample file names. This can reveal sensitive local file paths and study/private document names without an explicit runtime consent step, which is especially risky in an agent context where a user may not realize a broad filesystem scan will occur.

Missing User Warnings

Low
Confidence
87% confidence
Finding
When --out is used, the script writes structured scan results containing absolute paths, filenames, timestamps, and other metadata directly to disk without any warning or redaction. If that output file is later synced, shared, or stored in a less protected location, it can leak private filesystem structure and document metadata beyond the original scan session.

Ssd 3

High
Confidence
99% confidence
Finding
This section explicitly instructs collection of an auth token from browser storage and persistence into `~/.zshrc`, where it may be readable by other processes, shell history workflows, backups, screenshots, or accidental sharing. A stolen token could allow unauthorized access to the user's account and data on the remote IELTS service, especially since the document states the token is long-lived.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/check-update.js:60