HiEnergy Advertiser Intelligence Affiliate Copilot

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real HiEnergy affiliate-management integration, but it exposes sensitive business data and remote write actions that need user review before installation.

Install only if you intend to let an agent access HiEnergy affiliate business data, including contacts and transaction/commission information. Use a least-privilege HiEnergy API key, avoid running debug scripts in shared logs or CI, and require explicit human approval before any contact creation, contact reassignment, or publisher update.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill exposes write-capable operations (`create_contact`, `replace_contact`, and `update_publisher`) even though the primary framing is search/intelligence. In an agent setting, this increases the risk of unintended state changes, especially because these mutating methods are directly callable and not gated by explicit confirmation, role checks, or a read-only mode within the skill.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: `update_publisher` allows arbitrary PATCH updates to publisher attributes, and the docstring explicitly mentions network keys/credentials. In a broad agent environment, credential-related updates are highly sensitive because a prompt or misrouted call could alter account configuration or break integrations without additional safeguards.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script retrieves affiliate contact records and prints names and email addresses directly to stdout without any minimization, masking, consent check, or warning that personally identifiable information is being exposed. In operational environments, console output is often captured by logs, terminals, CI systems, or chat surfaces, which can unintentionally broaden access to partner contact data beyond those who need it.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script prints transaction date, commission amount, currency, and status for matching affiliate transactions directly to stdout. In affiliate/marketing operations, these fields are potentially sensitive business and financial data, and stdout is often captured by logs, terminals, CI systems, or shared execution environments, which can lead to unintended disclosure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script prints a full transaction object for debugging when no publisher match is found, which can expose sensitive affiliate data such as publisher details, transaction metadata, commissions, identifiers, or other internal fields to logs or console output. In this skill context, transaction analytics and partner data are business-sensitive, so dumping raw API responses increases the risk of unintended disclosure through terminal history, CI logs, shared notebooks, or support screenshots.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script prints transaction details, commission amounts, statuses, dates, and publisher identifiers directly to stdout. In an affiliate-intelligence skill, this data is commercially sensitive and may also include partner-identifying information; exposing it in logs, terminals, CI output, or shared agent traces can lead to unauthorized disclosure even if no external attacker code execution is involved.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script prints transaction details and publisher identifiers directly to stdout, including dates, commission amounts, statuses, and publisher names. In an affiliate-marketing intelligence context, this is potentially sensitive business data that may be captured by logs, terminals, CI systems, or shared run outputs, causing unintended disclosure of partner and financial information.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: `create_contact` performs a remote POST immediately with user-supplied contact data and no built-in confirmation or safety interlock. In an agent workflow, this can cause unauthorized record creation, spammy data pollution, or accidental insertion of sensitive/incorrect contacts from ambiguous prompts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: `replace_contact` reassigns a contact to another advertiser via POST without any in-skill confirmation, authorization guard, or integrity check. That can silently corrupt CRM-style ownership/linkage data if triggered by a mistaken query or prompt injection through the surrounding agent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: `update_publisher` sends PATCH updates directly to the API with arbitrary caller-provided data and no user-facing confirmation. Because publisher records may include operational settings or credentials, accidental or malicious invocation could change business-critical configuration and impact partner integrations.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The general-search fallback queries contacts even when user intent is ambiguous, then summarizes matching names. Combined with the skill's contact formatting behavior, this broadens access to contact data beyond explicit contact-related requests and increases the chance of overexposing business PII in casual queries.

Ssd 3

Medium

Confidence: 91% confidence
Finding: `_format_contacts_answer` returns contact names and full email addresses in plain text chat responses. In an agent or shared-chat context, that can disclose private business contact information too broadly, especially when search terms are vague or results are shown to users without a need-to-know.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal