bizyair-skill

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches BizyAir media generation, but it deserves Review because it uses an API key for paid actions while uploading user media, retaining prompts/file paths locally, and allowing hidden tool-output instructions.

Install only if you are comfortable giving the skill a BizyAir API key, letting it spend BizyAir balance after confirmation, uploading selected local media to BizyAir/OSS, and retaining prompts/file paths in local runtime and batch files. Avoid sensitive prompts or private source media unless that exposure is acceptable, and clear the skill runtime state after sensitive work.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The manifest markets the skill as media generation and BizyAir app execution, but the instructions authorize materially broader actions including API key checking, wallet/balance access, call-history retrieval, ModelZoo endpoint execution, and batch orchestration with persistent local state. This mismatch can cause users or platform policy to underestimate the skill's reach, increasing the chance of unintended account data exposure, unexpected spend, or broader-than-expected automation.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code derives host and session identifiers from environment variables, tty names, parent PID, working directory, and workspace root, then persists them in runtime state. This creates unnecessary collection and storage of host/session metadata unrelated to core BizyAir generation, increasing privacy risk and potentially enabling cross-session tracking or host fingerprinting.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation description is broad enough to trigger on common requests about image/video generation, BizyAir mentions, links, IDs, or app search, which can make the skill run in situations where the user did not intend account-linked BizyAir actions. In this context, overbroad triggering is riskier because the skill can check credentials, inspect balances, query history, and prepare billable tasks.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill directs the agent to run search commands with `--remote`, which sends user-provided queries to an external service, but it gives no disclosure or consent guidance. This creates a privacy and data-handling risk because users may provide sensitive prompts, IDs, or links without realizing they are being transmitted off-platform.

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The candidate search flow instructs the agent to send up to five user-derived keywords remotely and even retry with derived subword variants, increasing the amount of user input disclosed to external services. Without a privacy warning, consent check, or sensitivity filtering, this can leak user interests, project details, or other confidential terms.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation explicitly states that single-call details for `trd_api_record` include `request_payload` (raw parameters), which can contain prompts, identifiers, API inputs, or other sensitive user-supplied data. Exposing or encouraging retrieval of raw payloads without any warning, minimization guidance, or access-control caveats creates a real data exposure risk, especially in an account/assets skill that centralizes operational history.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs agents to upload user-provided local media files to OSS and convert them into externally reachable HTTP URLs, but it does not require an explicit user notice or consent step about third-party transmission and storage. In a media-generation workflow this creates a real privacy risk because sensitive photos, audio, or video may be sent off-device and retained remotely without the user understanding that transfer.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The batch worker inherits the API key through the BIZYAIR_API_KEY environment variable, and environment-based secret propagation can expose credentials to child processes, crash dumps, debugging tools, or other local observers depending on platform and runtime configuration. In this skill, batch mode deliberately spawns multiple subprocesses and detached workers, which increases the secret's exposure surface and makes accidental leakage more plausible.

Ssd 1

Medium

Confidence: 90% confidence
Finding: The manifest explicitly instructs the agent to treat portions of returned content marked as 'for agent / LLM only' differently from what is shown to the user, creating a hidden control channel inside externally sourced search results. Because those results come from remote systems, this opens a prompt-injection path where untrusted content can silently alter later agent behavior without user visibility.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal