Back to skill

Security audit

巴厘岛旅游资源解析入库

Security checks across malware telemetry and agentic risk

Overview

This Bali tourism import skill has a coherent import purpose, but users should review it because it can modify production CSVs, delete files in a chosen folder, and includes under-disclosed Redis broadcasting.

Install only after confirming you want this skill to write to your production CSV files. Use a dedicated temporary target folder, back up CSVs first, require a dry run or preview before appending, disable or remove Redis broadcasting unless you explicitly need it, and do not allow cleanup outside files created during the current run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Allowing the skill to pull public web information to fill missing contract fields expands it from deterministic document import into open-ended external research. That increases the chance of importing unverified or poisoned data, and may cause unintended network access beyond what users expect from a local CSV ingestion SOP.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The cleanup logic preserves files only when their filenames start with generic prefixes like '活动数据' or '酒店数据', but the documented outputs begin with supplier names such as 'BountyCruises活动数据_YYYYMMDD.csv'. In practice this mismatch can delete expected result CSVs or other user files in the target directory, causing data loss after processing.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script resolves a template path but never uses the template headers to validate or normalize the incoming CSV before writing. If the target file does not exist, it derives headers from attacker- or user-controlled input and writes directly into the production/default CSV location, which can corrupt schema, misalign columns, or poison downstream ingestion pipelines in a data-import skill whose safety requirement explicitly depends on exact header matching.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The code advertises a trusted template fallback chain, which implies schema control, but the resolved template is only printed and never used in write-time enforcement. In this skill context, that mismatch is security-relevant because operators may believe writes are constrained by the production/reference schema when they are not, enabling unsafe imports and silent data integrity failures.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This script adds Redis Stream broadcast behavior that is not justified by the declared skill purpose of parsing supplier documents and importing CSV data. Even though the code is not overtly malicious, it creates an additional outbound signaling channel that can leak operational metadata or trigger downstream automation outside the user's expected workflow, which is risky in an agent skill context.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code introduces external network/message-queue publication via Redis without clear justification from the skill description. In an agent environment, unexpected outbound communication expands the attack surface and can be abused for covert data exfiltration, unauthorized workflow triggering, or propagation of untrusted resource metadata into other systems.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Broad trigger phrases like '资源入库' or 'CSV入库' without exclusion conditions can cause accidental activation on unrelated tasks. In this skill's context, unintended invocation is more dangerous because the workflow includes downloading files, parsing documents, appending to production CSVs, and deleting files in a target directory.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Ambiguous 'automatic recognition' guidance for extracting URLs, model paths, and target paths can over-interpret user text and trigger downstream file or network actions on the wrong resources. Because this skill writes to production CSVs and cleans directories, mis-scoping inputs can lead to unauthorized modification or deletion of files.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The eval prompts and expected behavior indicate the skill should activate on broad, loosely constrained phrases like '帮我入库' and handle arbitrary supplier documents, images, and even a Google Drive link containing mixed files. This increases the chance of unintended invocation and overbroad processing of untrusted external content, which can trigger the skill in contexts where the user did not clearly authorize bulk parsing or import operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.