Back to skill

Security audit

搬题姬

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent OJ problem-import purpose, but it asks agents to run generated C++ code and perform unguarded desktop file deletion and renaming.

Install only if you are comfortable with the agent creating, renaming, deleting, compiling, and executing files in a Desktop work directory. Use it in a disposable or sandboxed workspace, review generated std.cpp and mkin.h before running, and avoid invoking it on untrusted problem packages or local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (20)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The program compiles and executes a local source file (`std.cpp`) via `system`, which means arbitrary code present in the workspace will run with the user's privileges. In this skill's context, imported problem packages or generated files may be influenced by untrusted content, so this behavior expands the attack surface from data generation into code execution.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The initialization commands unconditionally run `rm -rf` on desktop work directories before copying the template, with no existence, ownership, or safety checks beyond the path construction. Because the deletion target is on the user's desktop and includes broad names like `work` or `work_{PID}`, this can destroy pre-existing data if the directory name collides or variables are unexpected.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The file contains unresolved merge conflict markers with two divergent scoring tables, which creates contradictory guidance for the same task. In an agent skill that standardizes imported programming problems, this can cause nondeterministic or incorrect score assignment, reducing integrity and reliability of generated outputs.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs compiling and executing local binaries (`g++`, `./mkdata`) to generate test data and outputs. While this is functionally related to the task, it still creates an execution path for untrusted or AI-generated C++ code (`std.cpp`, modified `mkin.h`) without any sandboxing, path restrictions, or safety checks, which can lead to arbitrary code execution on the host.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The packaging step includes `rm -f {WORK_DIR}/std {WORK_DIR}/mkdata {WORK_DIR}/*.exe`, which is a destructive command operating on the filesystem. Even though it appears intended as cleanup, it lacks guardrails such as path validation, dry-run confirmation, or confinement to a guaranteed temporary directory, so a malformed or attacker-influenced `{WORK_DIR}` could cause unintended deletion.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
The document directs the agent to use shell-based verification for large samples instead of `read_file`, expanding command-execution behavior beyond simple file generation. Although the stated purpose is operational verification, invoking shell commands on attacker-controlled file names or paths increases the attack surface and can enable command injection or unsafe host interaction if not tightly constrained.

Vague Triggers

High
Confidence
93% confidence
Finding
The manifest metadata includes broad trigger wording for a skill that performs filesystem writes and archive creation. Ambiguous activation increases the chance the skill is invoked during ordinary conversation, causing unintended browsing, file generation, and desktop modifications without sufficiently specific user intent.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger list contains ambiguous single terms such as platform names and generic phrases that can appear in unrelated requests. Because this skill is authorized to read, write, edit, browse, and package files, accidental invocation could lead to unintended data access or file creation on the user's desktop.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Repeating vague keywords without defining trigger boundaries reinforces overbroad activation behavior. In this context, the danger is not remote code execution but unintended execution of a high-impact workflow that creates work directories, edits files, and produces archives.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill's workflow explicitly detects the desktop, copies a template directory, creates work folders, and writes zip archives there, but the user-facing description does not clearly warn about these side effects. This reduces informed consent and can surprise users with local filesystem changes in a sensitive default location.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill presents destructive directory deletion commands as normal setup steps without warning, confirmation, or safer alternatives. In an agent context, users may not see or understand these commands before execution, increasing the chance of irreversible loss of files on the desktop.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to immediately rename a local workspace directory using a shell mv command based on parsed external input, without requiring user confirmation or documenting safeguards. This creates a real integrity risk: an automated agent could unexpectedly modify local files/directories, and if PID handling is malformed or shell-unsafe, it could also cause path confusion or unintended filesystem changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs an unconditional `mv {WORK_DIR} {WORK_DIR}_{标题简写}` rename of the working directory, including a variant based on detected desktop paths, without any validation, collision checks, or user confirmation. In an agent context, filesystem mutations based on generated title text can misplace outputs, overwrite expectations, or break subsequent steps if the derived path is wrong or already exists.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The cleanup instruction deletes executables without any warning, confirmation, or explicit requirement that the workspace be disposable. In an agent setting, silent destructive operations are risky because variable expansion or workspace confusion can remove user files or artifacts unexpectedly, causing data loss and making recovery difficult.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The step explicitly instructs the agent to create and append to a local summary file derived from user-provided inputs, but it does not require confirming the destination, warning the user that local files will be modified, or constraining writes to a safe workspace. In an agent context, silent file creation/modification can overwrite existing content or place generated files in unintended locations, especially when file names or contest IDs are derived from user-controlled paths.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The step instructs deletion of executable-related files in the working directory (`rm -f {WORK_DIR}/std {WORK_DIR}/mkdata {WORK_DIR}/*.exe`) before packaging, but provides no user-facing warning, confirmation, or path-safety validation. In this skill’s context, `{WORK_DIR}` is dynamically derived from a desktop path, so a bad substitution, empty variable, or unexpected directory value could cause unintended data loss in a user-accessible location.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill instructs the agent to copy local images or attachments into a working directory, which is a filesystem write operation affecting local files. Without explicit user consent, path constraints, and safety checks, this can lead to unintended local file modification, propagation of sensitive attachments, or copying attacker-controlled files into downstream artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs `rm -rf $BASE_DIR/work_{PID}` before recreating the workspace, which can permanently delete data if `BASE_DIR` or `PID` is wrong, empty, or unexpectedly expanded. In an agentic skill that performs filesystem actions automatically, the lack of safety checks, path validation, or a user warning materially increases the risk of unintended destructive deletion.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The optional cleanup step `rm -f work_*/*.zip` deletes generated zip artifacts without warning, which can remove deliverables or evidence needed for validation and recovery. While narrower in scope than the earlier recursive delete, it is still a destructive operation in a packaging workflow and can cause irreversible loss if run at the wrong time or in an unexpected directory.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
void mk_in() {
    // 创建testdata目录
    if (system("rm -rf testdata/*.in testdata/*.out testdata/*.zip") != 0) {
        cerr << "清理旧数据失败" << endl;
    }
Confidence
97% confidence
Finding
rm -rf testdata/*.in testdata/*.out testdata/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.