Security audit

Gangtise知识库

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Gangtise internal knowledge-base search skill, but it relies on sensitive credentials and can optionally save or download internal documents locally.

Install only if you intend to let an agent query Gangtise internal content with your configured credentials. Use least-privilege credentials where possible, keep scripts/.authorization out of source control, avoid enabling GTS_SAVE_FILE or downloads in shared directories, and delete saved excerpts or reports when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documentation instructs use of credentials, local file reads/writes, and network-backed retrieval, but it declares no permissions. This creates a trust and review gap: users and policy engines cannot accurately understand that the skill can access secrets, contact external services, and persist data locally, which can enable unintended data exposure or misuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill is presented primarily as semantic knowledge-base search, but the interface also supports downloading full files and writing them to local directories. This mismatch is security-relevant because operators may authorize a low-risk search capability while overlooking bulk document retrieval and local persistence, increasing the chance of over-collection, unauthorized retention, or exfiltration of sensitive internal documents.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill is described as a semantic knowledge-base retrieval tool, but it also supports downloading files to local disk when the download flag is enabled. This expands the capability from search-only to network-to-disk transfer, which materially increases risk because retrieved content may be persisted locally without the user fully understanding that side effect.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill reads credentials from environment variables and a local `.authorization` file, then uses them to obtain a bearer token. That capability is broader than the manifest's stated semantic-search behavior and creates a hidden trust boundary: local secrets are accessed and transmitted without being obvious from the skill description.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The code creates persistent local directories for usage logs and downloaded files, which exceeds a simple 'return relevant snippets' function. In a knowledge-base skill, silent persistence increases the risk of retaining sensitive query content and metadata on disk longer than users expect.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: `format_response` can save retrieved knowledge-base content to local files, including titles, timestamps, summaries, and identifiers. For a semantic-search skill, storing returned content locally broadens data exposure and may leak proprietary or sensitive research material into the workspace.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The function performs authenticated HTTP downloads and writes the returned content to local storage, but the core action is not surfaced to the user as an explicit consent/confirmation step before the side effect occurs. In an agent setting, silent network fetch plus disk write can unexpectedly transfer sensitive documents and leave local artifacts, which increases the risk of unreviewed data handling and privacy/compliance issues.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code sends the user's query, date filters, and selected resource types to an external RAG endpoint via requests.post. In a knowledge-base skill this may be expected operationally, but the file itself provides no explicit user-facing disclosure or consent mechanism, so potentially sensitive user queries could be transmitted off-process or off-host without clear notice.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: When download is enabled, the skill automatically invokes download_files on returned search results and may save content to disk under the provided output directory. Without a strong user-facing warning or confirmation at the point of execution, this can lead to unintended local persistence of potentially sensitive documents and broaden exposure on the host.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code collects access credentials and sends them to a remote endpoint to obtain an access token, but there is no user-facing warning at the point of operation. Hidden transmission of sensitive credentials is dangerous because users may not realize local secrets are being used or sent off-host.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The utility writes usage information and retrieved content to local files without an explicit point-of-use disclosure. In this context, search queries and returned snippets may contain sensitive internal knowledge, so undisclosed persistence creates confidentiality and retention risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal