Back to skill

Security audit

GEO Content Writer

Security checks across malware telemetry and agentic risk

Overview

The skill is a real Dageno content workflow, but its optional WordPress commands can create, update, or publish live site content, including batch posts, without a clear confirmation or dry-run gate.

Install only if you intentionally want a Dageno-driven content workflow with optional WordPress publishing. Use a least-privilege WordPress application password, keep runs in draft mode until reviewed, avoid batch publishing until tested on a staging site, and do not expose WordPress credentials to agent sessions that should only draft content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and requires capabilities including environment-variable access, local file reads/writes, and network access, but does not declare permissions explicitly. This weakens user visibility and consent around what the skill can access, making credential exposure, unintended filesystem modification, or outbound data transfer easier to hide behind a seemingly simple content workflow.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is narrowly framed as a Dageno-based backlog-to-article workflow, but the skill appears capable of substantially broader actions including arbitrary web crawling, keyword-first content generation, batch publishing, and direct WordPress publication. This mismatch is dangerous because users may authorize or invoke the skill under incomplete expectations, enabling higher-risk operations such as live publishing or broader data handling than the description suggests.

Context-Inappropriate Capability

Low
Confidence
97% confidence
Finding
The example content exposes a real-looking absolute local filesystem path under a user's home directory. While not immediately exploitable on its own, it leaks host-specific environment details and project structure that are unrelated to the skill's public function, which can aid fingerprinting, social engineering, or follow-on targeting.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The content materially contradicts its stated subject by switching from industrial equipment evaluation to travel/booking decision language. In a content-generation skill, this can propagate misleading or irrelevant output, undermining trust, confusing downstream users, and potentially causing publication of nonsensical or deceptive material.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The FAQ and later sections continue the same cross-domain drift, referring to booking paths and traveler profiles instead of sifter selection factors. This is dangerous because it indicates systemic prompt/template contamination that can produce inaccurate advice and low-integrity publish-ready content at scale.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill is presented as a content-writing workflow, but it also includes direct publishing capabilities to WordPress and batch publication paths. In an agent setting, that hidden expansion of capability can cause unintended remote side effects, especially if callers assume the tool only drafts content and do not realize it can publish or modify live CMS content.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Direct WordPress create/update operations are powerful remote-write capabilities that exceed a narrowly described content-writing role. If an agent or user invokes this skill assuming it only produces text, it could alter or publish CMS content using supplied credentials, causing integrity loss, accidental publication, or defacement.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Automated batch publishing amplifies the risk of unintended remote side effects because a single invocation can generate and publish multiple posts. In an agent environment, this increases blast radius: a mistaken or manipulated call could create many unwanted drafts or published posts at once.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file implements a full WordPress publishing client that can create and update remote CMS posts, which materially extends the skill from content generation into external side-effecting publication. In an agent context, undisclosed write capability increases the risk of unauthorized posting, defacement, or accidental publication if invoked without explicit user consent and clear scope boundaries.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The client automatically sources WordPress credentials and OAuth secrets from environment variables, giving the skill access to external publishing infrastructure without any in-file indication of user approval. In agent deployments, ambient credential use is dangerous because the model may gain capabilities beyond what the user requested or expects.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly documents integrations with external APIs, web research, and optional WordPress publishing, but it does not clearly warn that prompts, article drafts, metadata, and credentials may be transmitted to third-party services. In an agent skill context, this omission is security-relevant because users may invoke the workflow assuming purely local processing, leading to unintended disclosure of proprietary content, internal knowledge-base material, or publishing credentials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The quick-start section provides direct WordPress publishing instructions, including credential environment variables and a publish command, without an explicit caution that running the command can create remote drafts or publish content to a live third-party service. In a skill/agent setting, actionable commands with side effects are more dangerous because they normalize credential use and remote state changes without a safety checkpoint or user acknowledgment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly includes a distribution step that can publish to WordPress draft or live publish status, but the description does not prominently warn users that content may be posted externally. In a content-generation context, this increases the chance of accidental publication of incorrect, low-quality, or sensitive material to a production website.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill requires sensitive credentials including API keys and WordPress application credentials, but does not provide clear guidance on storage, least-privilege handling, redaction, or transmission boundaries. In a workflow that also performs network and publishing actions, poor credential hygiene can lead to account compromise, content tampering, or leakage of proprietary data.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The markdown includes an absolute local filesystem path under a user home directory, which unnecessarily discloses environment-specific information. While not directly exploitable on its own, this can leak usernames, workstation structure, project naming, and local layout details that aid targeting, phishing, or later-stage exploitation.

Vague Triggers

Low
Confidence
95% confidence
Finding
The JSON example includes a full absolute local filesystem path to a user's home directory, which unnecessarily exposes workstation-specific information such as the username and project structure. While not directly exploitable on its own, this can aid reconnaissance, leak sensitive environment details into downstream logs or model context, and encourage tools to access data outside the intended skill scope.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The persistent use of travel/booking language across an article about gyratory sifters reflects a domain mismatch in the skill's natural-language output. In this skill context, that makes the generated content unreliable and can mislead readers or customers, especially if the workflow presents the article as publish-ready professional guidance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill declares multiple sensitive credentials, including API keys and WordPress authentication secrets, but does not clearly warn users that these secrets enable access to external services and potentially content management actions. In an agent setting, this increases the risk of overbroad secret exposure, unintended transmission to third-party services, or users invoking the skill without understanding the systems it can touch.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly supports publishing to WordPress in draft or publish status, but it does not include a strong warning that this can modify a live site. In an autonomous or semi-autonomous agent workflow, this creates a real integrity risk: content could be posted to production unintentionally, harming the site, brand, or compliance posture.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The publish/update path performs remote writes to WordPress without any explicit interactive warning, confirmation, or preview in this file. That is dangerous in agent-driven workflows because content derived from prompts or files can be transmitted and persisted remotely immediately, leading to accidental publication, unwanted edits, or abuse of stored credentials.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The batch workflow writes generated files locally and creates remote WordPress posts without an additional disclosure or confirmation step in the execution path. Because it processes multiple items, any misuse or misconfiguration can rapidly create a large number of artifacts and remote posts, increasing operational and reputational damage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The create_post and update_post methods perform remote writes to a live WordPress site with no built-in confirmation, warning, or separation between draft generation and publication actions. In a content-writing skill, this makes accidental or unauthorized state changes more likely, especially if an agent chains generation and publishing automatically.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code sends credentials to WordPress APIs and retrieves OAuth tokens without any user-visible disclosure in the file that secret-backed network operations occur. While the transmission is over HTTPS, the security issue is the hidden capability: the skill can authenticate to external services and act on behalf of the account unexpectedly.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The workflow automatically collects prompt responses, response details, mentions, and citation URLs from remote services and processes them into downstream payloads without any visible consent, minimization, or disclosure control in this code path. In an agent setting, silent aggregation of potentially sensitive prompt/response telemetry can violate user expectations and expose proprietary research context or behavioral data to broader processing than intended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code crawls external citation URLs, causing outbound requests to third-party sites without any visible disclosure or approval step nearby. This can leak user or tenant interest patterns, trigger untrusted network interactions, and expand the trust boundary from the Dageno API to arbitrary cited domains.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.