Back to skill

Security audit

Ielts Review Upload

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says by uploading IELTS review data, but it also sends persistent local identity signals and uses exposed credentials in ways users should review before installing.

Install only if you are comfortable sending the selected review file, a persistent machine-derived ID, and your local username to tuyaya.online. Avoid using the GitHub download fallback, do not upload unrelated HTML files, and do not share generated dashboard URLs because they include an API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs reading a local file and executing shell commands, but does not declare those capabilities or present them transparently. Hidden or undeclared execution/file access increases the chance that users or platform controls cannot properly evaluate the risk before the skill runs.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Generating a stable identifier from hostname and username creates a persistent device/user fingerprint unrelated to the minimum data needed to upload a review record. Even if hashed, it enables long-term correlation across uploads and exposes host-derived identity material to a remote service.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill permits downloading an executable script from GitHub at runtime and then making it executable, which introduces a software supply-chain risk well beyond simple file upload. If the remote content is changed, compromised, or intercepted through a trusted upstream account, the skill could execute arbitrary attacker-controlled code on the host.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script derives a stable identifier from local hostname and username and transmits it to a remote service. Even though it hashes the value, it is still a persistent pseudonymous device/user fingerprint tied to local system metadata, which exceeds what is necessary for simply uploading a review file and enables cross-session tracking without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill description centers on uploading JSON review data, but the script also reads arbitrary local HTML files and uploads their full contents. This broadens data exfiltration scope beyond the declared purpose, increasing the risk that sensitive local content is transmitted to the server unintentionally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description omits that it uploads user review data together with a stable machine-derived identifier to a remote server. This lack of notice undermines informed consent and can cause users to share more personal or device-identifying information than they expect.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instructions tell the operator to download and execute a remote script without any warning, sandboxing guidance, or integrity verification. This normalizes running unreviewed external code and materially increases the risk of remote code execution and environment compromise.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Embedding a live API key in skill documentation/script exposes a credential that can be copied and abused by anyone with access to the skill. Attackers could use it to submit unauthorized data, enumerate backend behavior, consume service quota, or pivot into broader backend misuse if the key is overprivileged.

External Script Fetching

Low
Category
Supply Chain
Content
**如果脚本不存在**:
从当前 Skill 目录复制,或者从 GitHub 下载:
```bash
curl -o scripts/sync-review.sh https://raw.githubusercontent.com/dengjiawei1226/ielts-reading-review/main/scripts/sync-review.sh
chmod +x scripts/sync-review.sh
```
Confidence
96% confidence
Finding
curl -o scripts/sync-review.sh https://raw.githubusercontent.com/dengjiawei1226/ielts-reading-review/main/scripts/sync-review.sh chmod +x scripts/sync-review.sh ``` ### Step 3: Return Dashboard URL

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.