Back to skill

Security audit

Foxtable 开发文档(报表与数据篇)

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Foxtable skill, but it needs review because its examples publish real-looking credentials and an API key.

Review before installing. The skill does not appear to run code or exfiltrate data, but its examples include hardcoded secrets. Treat the FTP credentials and map API key as exposed, do not reuse them, and replace all sample credentials with placeholders or environment-managed secrets. If the publisher owns any of these values, they should be revoked or rotated before publication.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The document includes a concrete FTP host, account, and password in example code for remote image access. Even in documentation, publishing real-looking credentials normalizes unsafe handling of secrets and could expose an actual service if the values were ever valid or reused elsewhere.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation shows backend data extraction and FTP credential configuration without any warning about secret management or operational risk. In context, this makes unsafe copy-paste use likely and increases the chance that users deploy exposed credentials in production systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The certificate examples include plaintext passphrases for creating, exporting, and loading a private key without emphasizing private key protection. This encourages insecure operational habits and could lead users to embed real certificate passwords directly in scripts or applications.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation includes a hardcoded third-party API key in example code. Even in documentation, embedded live credentials can be copied into applications, harvested from repositories, abused for unauthorized API usage, quota exhaustion, billing charges, or service-account suspension.

Ssd 3

High
Confidence
98% confidence
Finding
The example directly embeds an FTP server address, username, and password in documentation text and code. This is sensitive data exposure and also teaches an insecure pattern that can be replicated by users, making the reporting/documentation context more dangerous because it invites copy-paste reuse.

Ssd 3

High
Confidence
94% confidence
Finding
The document shows explicit certificate file passwords and code that loads a private key using that password. Exposing private-key handling patterns with plaintext passwords is dangerous because readers may copy the pattern into real deployments, risking certificate compromise and unauthorized signing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.