Security audit

企雀医美系统-AI助手

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate QiQue business API helper, but it asks users to paste and persist sensitive API credentials for high-impact customer and business operations.

Install only if you trust the publisher and can provide least-privilege, revocable QiQue credentials. Do not paste production app_secret values into normal chat unless your environment securely redacts and stores secrets; rotate any secrets already entered, and prefer a vault or scoped config mechanism over conversational memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (5)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The signature section gives exact instructions for combining long-lived secrets with request parameters to generate an MD5 signature, but provides no safety constraints around where this computation should occur or how the secrets must be protected. In an agent skill context, that omission is risky because an LLM-driven workflow may attempt to handle signing in prompts, logs, or user-visible text, which could expose reusable credentials and enable unauthorized API calls.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs the agent to keep API credentials persistent between turns, which creates unnecessary secret retention in conversational memory or auxiliary state. If that memory is exposed through prompt leakage, logging, debugging, or cross-session confusion, the retained credentials could be reused to access backend business APIs.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The workflow tells users to send `app_id` and `app_secret` directly in chat, encouraging collection of sensitive credentials through a natural-language channel that may be logged, replayed, or visible to unintended parties. Because these are API secrets for a business system, compromise could enable unauthorized reads or writes across customer, wallet, appointment, order, or messaging functions.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The credential policy goes beyond transient use and directs the agent to persist newly supplied secrets to memory or config state and overwrite them later, normalizing long-term storage of high-value API credentials. In a skill that can drive operational workflows, stolen persisted secrets could permit sustained unauthorized access and business-impacting actions.

Ssd 3

High

Confidence: 98% confidence
Finding: The prompt explicitly instructs the assistant to store sensitive app_id and app_secret long-term and reuse them in future interactions. Indefinite retention of credentials increases the blast radius of prompt leakage, cross-session exposure, unauthorized reuse, and compromise of the connected QiQue backend if the assistant or its memory layer is accessed by unintended parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal