Back to skill

Security audit

office-quotes

Security checks across malware telemetry and agentic risk

Overview

This Office quote skill is not malware, but its documentation understates risky API/image-rendering behavior and overstates what the bundled code actually provides.

Install only if you trust the npm publisher and are comfortable with API mode contacting a third-party service and creating local image files. Prefer offline mode for routine use, and avoid API/image conversion in automated or sensitive environments unless the SVG rendering path is hardened or sandboxed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions, yet its documented behavior and referenced package capabilities indicate network access and file-related operations. This creates a transparency and policy-enforcement gap: users and hosts may approve the skill believing it is low-risk, while it can still reach external services and interact with local resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill description materially overstates and misrepresents behavior: it claims large offline quote coverage and full episode metadata, while also omitting meaningful operational details like external API fetching and image rendering/conversion dependencies. This mismatch can mislead users into enabling a skill under false assumptions, increasing the chance of unexpected network activity, dependency exposure, or inappropriate trust.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
In API mode, the script fetches untrusted remote SVG content and writes it to /tmp, then elsewhere may render it with Playwright. Rendering attacker-controlled SVG/HTML-capable content in a browser engine can expose the host to browser-based script execution, local file access attempts, network exfiltration, or exploitation of browser/parser vulnerabilities, especially because the remote API fully controls the returned markup.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The conversion path wraps SVG content into an HTML file and opens it with Playwright via file://, which means any embedded active SVG features or externally referenced resources are processed by a full browser engine. If the SVG content is attacker-controlled, this expands risk from simple file creation into local browser rendering of untrusted markup, potentially enabling script execution in-browser, unintended local/network access, or exploitation of browser bugs.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.browser_file_render

Browser automation renders interpolated SVG/HTML from a file URL with JavaScript enabled.

Critical
Code
suspicious.browser_file_render
Location
scripts/office-quotes.js:98