Back to skill

Security audit

ZLQA-GMT-API-Test

Security checks across malware telemetry and agentic risk

Overview

This GM API testing skill appears purpose-built, but it should be reviewed because it runs and modifies local project Python test files that may use API secrets.

Install only if you trust the ZLQA repository and every run_tests.py it contains. Use least-privilege test credentials, avoid production GM secrets, keep config files with secrets out of version control, and check your project diff after running because this skill edits project files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
set_execute_cases(script_path, case_ids)

    # 执行测试
    result = subprocess.run(
        ['python', 'run_tests.py'],
        cwd=interface_dir,
        capture_output=True,
Confidence
95% confidence
Finding
result = subprocess.run( ['python', 'run_tests.py'], cwd=interface_dir, capture_output=True, text=True, encoding='utf-8', errors='replace',

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The module description frames the skill as dynamic path configuration, but the implementation goes further by discovering, modifying, and executing `run_tests.py` files inside the target project. This mismatch is security-relevant because it can cause users to underestimate the level of code execution and file modification the skill performs, weakening informed consent and increasing the chance of unsafe use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to place sensitive values such as the signing secret and test account data into project config files, but provides no guidance on secure storage, redaction, access control, or avoiding commits to version control. In a testing skill that relies on a cloned repository and automated discovery, this increases the chance of credential exposure through source control, logs, reports, or local file leakage.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The skill states that runner.py will automatically invoke os.startfile() to open a generated HTML report, causing an unsolicited local file action. While opening a local report is often convenient, doing so automatically without explicit user confirmation or warning can surprise users and increases risk if report content is unsafe or if the default browser executes active content.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are extremely generic terms such as '执行', '初始化', '测试报告', and '接口列表', which can easily appear in normal user conversations unrelated to this skill. This increases the chance of accidental invocation or routing collisions, causing the agent to run testing-related actions in unintended contexts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
`set_execute_cases` rewrites `run_tests.py` in place based on user input, altering code in the target project without backup, validation, or clear prior warning. This is dangerous because it can corrupt project files, create persistent unintended changes, and, in combination with later execution, turns the skill into a code-modifying launcher for external scripts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.