Security audit

国泰海通证券-灵犀研报搜索

Security checks across malware telemetry and agentic risk

Overview

This is a coherent research-report search skill, but it handles sensitive API credentials and device identifiers in ways users should review carefully before installing.

Install only if you trust this publisher and intend to use the GTHT research-report service. Prefer the QR/cloud authorization path instead of pasting an API key into chat, verify the displayed GTHT domains, and use the documented clear-auth command when you no longer want the local credential retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The file says access must remain within the skill directory and one sibling shared file, but later documents a search path that climbs multiple parent directories for gtht-entry.json. Contradictory boundary rules create ambiguity that can lead to unintended credential discovery or use of a key from another installation context.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The entrypoint is not limited to the declared research-report use case; it includes a general auth module and a generic MCP client capable of calling tools by arbitrary gateway and tool name. This expands the reachable attack surface far beyond the advertised skill behavior, enabling capability abuse if the skill is granted access or invoked by other components under the assumption it is narrowly scoped.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The mcpClient `call` path accepts user-supplied gateway and tool names and forwards arbitrary arguments, creating a generic remote procedure invocation surface. In a skill advertised as research-report search, this mismatch is dangerous because any exposed backend tool reachable through configured gateways could be invoked, potentially accessing unrelated data or performing unintended actions.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The authorization flow enumerates local network interfaces to obtain a MAC address and derives device identifiers from it, which is unrelated to simple report-search functionality and constitutes collection of sensitive device metadata. This increases privacy risk and creates unnecessary host fingerprinting, especially when users may not expect hardware identifiers to be accessed by a content-search skill.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger keywords are broad financial terms such as 研报, 投资策略, 行业分析, 大盘分析, which are common in ordinary conversation. Over-broad activation can cause the agent to invoke this skill unexpectedly, increasing the chance of unnecessary authorization prompts, credential collection flows, or remote data access in contexts where the user did not intend to use this provider.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs the agent to have the user provide or manage an API Key but does not clearly warn that the key is a sensitive secret that should not be pasted casually into chat or logged. This raises the risk of credential exposure through conversation history, telemetry, or mishandling by downstream components.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code persists the API key in a shared JSON file on disk, but the flow does not present a clear, explicit warning that credentials will be stored locally. Storing long-lived credentials without informed user consent increases the risk of credential theft from local compromise, backups, shared directories, or other local users/processes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code persists the API key in a shared JSON file on disk, but the flow does not present a clear, explicit warning that credentials will be stored locally. Storing long-lived credentials without informed user consent increases the risk of credential theft from local compromise, backups, shared directories, or other local users/processes.

Ssd 3

High

Confidence: 99% confidence
Finding: The authorization instructions explicitly tell the user to send a valid API key directly to the agent/chat to complete authorization. Requesting users to paste credentials into chat is a severe secret-handling anti-pattern because chat logs, intermediaries, plugins, or operators may retain or access the credential, enabling account takeover or unauthorized API use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.