MyCompanyDueDiligence

Security checks across malware telemetry and agentic risk

Overview

The skill’s due-diligence purpose is mostly coherent, but it ships saved browser sessions with authentication tokens and uses unsafe shell command construction.

Review before installing. Do not use the bundled session files; treat them as exposed credentials and remove them. Use fresh accounts, store sessions outside the skill/repository with restrictive permissions, and avoid confidential targets unless you are comfortable sending company names and screenshots to the listed third-party services. The shell-command construction should be fixed before using this with untrusted company names or agent-supplied input.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """执行 agent-browser 命令""" full_cmd = f"agent-browser --session-name {DEFAULT_SESSION} {cmd}" try: result = subprocess.run( full_cmd, shell=True, capture_output=True,
Confidence: 99% confidence
Finding: result = subprocess.run( full_cmd, shell=True, capture_output=True, text=True, timeout=timeout )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: html_file = md_file.with_suffix('.html') # 转为基础 HTML result = subprocess.run( f'pandoc "{md_file}" -o "{html_file}" --standalone --metadata title="{company_name}"', shell=True, capture_output=True, text=True, timeout=30 )
Confidence: 97% confidence
Finding: result = subprocess.run( f'pandoc "{md_file}" -o "{html_file}" --standalone --metadata title="{company_name}"', shell=True, capture_output=True, text=True, timeout=30

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented behavior understates or misstates actual scope: additional data sources, credential/session handling, and partially manual workflows materially change the trust boundary for users. This is dangerous because users may authorize the skill expecting limited four-site scraping, while the implementation may touch more services, persist authentication artifacts, and collect more data than disclosed.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The script writes screenshots and reports to hard-coded absolute directories outside the skill workspace. In an agent setting, this expands the data-handling scope and can cause sensitive due-diligence outputs to be stored in unintended locations, increasing the risk of data leakage, accidental overwrite, or cross-project exposure.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The session file contains a live Tianyancha authentication token/cookie set that can likely be reused to access the associated account. Embedding active session credentials in a distributable skill is dangerous because anyone with repository or package access may impersonate the account, consume paid features, or access account-linked data.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The stored browser state includes personal account/profile information such as masked mobile number, user ID, nickname, and account attributes that are not required for a generic due-diligence automation skill. This creates unnecessary privacy exposure and can aid account correlation, profiling, or social engineering if the artifact is shared or reused.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The localStorage snapshot contains a full authenticated token plus detailed browsing telemetry, including identifiers, search history, URLs, and account-linked metadata. In the context of a browser automation skill, this is especially dangerous because the skill is explicitly designed to replay authenticated sessions against external sites, making credential reuse and privacy leakage more immediately exploitable.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README instructs users to save a logged-in browser session to `./session/due-diligence.json` but does not warn that the file may contain reusable authentication artifacts such as cookies, tokens, or other session state. In a due-diligence skill that accesses multiple authenticated commercial/legal data sources, leakage of this file could enable account takeover or unauthorized reuse of paid or sensitive access.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to save authenticated browser session state to disk but does not warn that these files may contain reusable cookies or tokens. If the session file is copied, exposed via backups, or stored with weak permissions, an attacker could hijack authenticated access to enterprise data sources without needing the user's password.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill generates and stores screenshots, reports, and raw JSON from due-diligence workflows without documenting privacy, retention, or handling requirements. These artifacts can include company-sensitive information, personal data, search history, and authenticated-view content; unguarded local storage or sharing could lead to confidentiality and compliance issues.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation instructs automated login with username/password entry for paid services but provides no guidance on secure credential handling, storage, consent, or account-risk implications. In a browser-automation skill, this increases the chance that users will hardcode credentials, leak them through logs/screenshots, or use accounts in ways that violate provider terms or expose sensitive business queries.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The HTTP automation examples send user-supplied company identifiers and search keywords to external services without any privacy or disclosure warning. While routine for due-diligence workflows, the context makes this sensitive because target entities and search terms may be confidential deal information, and silent transmission to third parties can create privacy, legal, or business-confidentiality exposure.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This code automatically logs into third-party services and submits the target company name without any explicit consent, warning, or disclosure at runtime. In a due-diligence context, queried company names can be sensitive business intelligence, and automated authenticated access also exposes stored account usage to external platforms.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script silently loads local credentials and uses them for authenticated scraping, which can cause unintended credential use and undisclosed access to paid or personal accounts. In agent/skill environments, implicit credential access is dangerous because users may not realize the tool will consume secrets and act on their behalf against external services.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script persists authentication cookies and full browser storage state to files under the user's home directory, which can contain reusable session tokens and other sensitive data. If those files are read by another local user, malware, backups, or accidentally committed/shared, an attacker may be able to hijack the Qichacha session and access account-scoped data without re-authenticating. In a due-diligence automation skill, this is somewhat more dangerous because long-lived authenticated access is the core capability of the tool.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script persists Tianyancha session cookies and full browser storage state to predictable files under the user's home directory. Those artifacts can contain active authentication tokens and other sensitive session data, so any local compromise, accidental sharing, weak filesystem permissions, or inclusion in backups can enable account/session hijacking without re-authentication. In this due-diligence skill, the risk is elevated because the tool is explicitly designed to automate access to commercial data sources using a logged-in account.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script persists authentication cookies and full browser storage state to plaintext JSON files under the user's home directory, which can contain reusable session tokens. If those files are read by another local user, malware, backups, or accidentally committed/shared, an attacker may hijack the user's court website session without needing credentials. In a due-diligence automation tool, persisted authenticated sessions are operationally useful, but they still materially increase risk because the target data source is sensitive and likely tied to a real identity.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script writes a browser screenshot to /tmp, a shared temporary location where other local processes or users may be able to access it depending on system configuration. Because the screenshot is taken immediately after a login flow, it may capture account identifiers, case information, or other sensitive session content, creating avoidable information exposure. The due-diligence context increases sensitivity because the site and resulting page content may contain non-public legal or account-related data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal