Back to skill

Security audit

Cn Url Shortener

Security checks across malware telemetry and agentic risk

Overview

This is a small URL-shortening skill that only sends a user-provided URL to is.gd, but its documentation should be clearer about the third-party service and overstates some features.

Install only if you are comfortable sending each URL you shorten to the public is.gd service. Avoid using it for private internal URLs, login links, reset links, or URLs containing tokens or sensitive query parameters; also expect the advertised statistics, expiry, and batch features to be incomplete or nonfunctional in this version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Low
Confidence
93% confidence
Finding
The skill documentation includes promotional branding and an unrelated external link that is not necessary to operate a short-link generator. Even though this is not code execution, it creates unnecessary trust and phishing surface by steering users to third-party sites outside the stated tool purpose.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function sends the full user-provided URL to the external is.gd service, which discloses potentially sensitive query parameters, internal hostnames, or tracking data to a third party. In an agent skill context, this is more dangerous because users may assume local processing while the skill silently exfiltrates input to an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.