Back to skill

Security audit

内容引擎

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed content analysis and generation skill that uses expected third-party APIs, credentials, local workspaces, and media generation for its stated purpose.

Install only if you are comfortable giving this skill TikHub, Ofox/OpenRouter, and Ark credentials and sending XHS content, brand graph context, product details, and prompts to those providers. Keep .env files private, do not set OFOX_BASE_URL, ARK_BASE_URL, or TIKHUB_BASE_URL to untrusted hosts, use --no-real-video to avoid paid Seedance video generation, and review or delete generated workspaces if they contain confidential campaign material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tainted flow: 'req' from os.environ.get (line 69, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            data = json.loads(resp.read())
    except urllib.error.HTTPError as e:
        err_body = e.read().decode("utf-8", errors="replace")[:500]
Confidence
96% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Tainted flow: 'req' from os.environ.get (line 186, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
out_path.parent.mkdir(parents=True, exist_ok=True)
    try:
        req = urllib.request.Request(url, headers={"User-Agent": "curl/8.7.1"})
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            out_path.write_bytes(resp.read())
    except urllib.error.HTTPError as e:
        raise SeedanceError(f"HTTP {e.code} downloading video from {url[:80]}") from e
Confidence
84% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The client explicitly sets a curl-mimicking User-Agent to avoid Cloudflare blocking, and the comments state that this is intended to bypass anti-bot filtering. Even if used for compatibility, deliberately impersonating another client to evade access controls weakens platform defenses and may violate provider terms or trigger downstream abuse concerns.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are overly broad everyday language such as asking to 'analyze' or 'study' a link, which can cause the skill to activate in contexts the user did not intend. Because this skill can fetch remote content, write files, and later invoke generation workflows, accidental invocation expands the risk surface and may trigger networked or stateful actions without sufficiently explicit consent.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
This code performs a server-side GET to a user-supplied URL and automatically follows redirects, then trusts the resulting URL enough to parse data from it. Although the initial regex restricts input to xhslink.com or www.xiaohongshu.com, there is no validation that the final redirected destination remains on an approved host, so the skill can be used to trigger unintended outbound requests and interact with arbitrary redirect targets controlled through external infrastructure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This client transmits the full `messages` payload to a third-party LLM gateway over the network, which can include sensitive user prompts, internal instructions, or proprietary content. The code itself performs no consent check, redaction, or data-classification guard before exfiltrating that content to `api.ofox.ai`, so misuse or accidental leakage is plausible in this skill context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When no existing card is found, the code automatically launches `extract_xhs.py` and creates a workspace plus stub files without any confirmation or policy check. In an agent skill context, this is risky because a simple lookup operation can silently trigger external processing, network access, and persistent filesystem writes from untrusted user-provided links, expanding the attack surface and violating least surprise.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The compose flow sends prompt content to an external Seedance service, which can disclose proprietary campaign ideas, unpublished creative content, or sensitive user-provided data if callers are unaware of the network transfer. In a content-engine skill, external generation is expected, but the risk remains because prompt bodies may contain confidential brand strategy or customer information and there is no explicit consent or redaction control in this path.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The async submission path also transmits shot prompts to an external service without any visible warning, creating the same confidentiality and compliance risk as the synchronous path. Because this helper can batch-submit many shots at once, it can amplify unintended data exposure if sensitive prompts are included.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script downloads note metadata, comments, videos, and images from remote services and persists them to a local workspace under a temp directory, but it provides only operational progress logs rather than an explicit privacy/data-handling notice or consent gate. This can expose users to unintentional collection and retention of potentially sensitive third-party content, especially on shared machines or when operators do not realize data is being stored beyond the current session.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.