Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 90% confidence
- Finding
- 该技能声明了环境变量、文件读写和网络访问等实际能力,但未显式声明权限边界,容易让宿主系统或用户低估其可访问范围。结合其可搜索本地知识库、导出报告和访问多个外部平台的设计,这种权限透明度不足会增加越权访问、意外数据外发和审计困难的风险。
知识网格 / Knowledge Mesh
Security checks across malware telemetry and agentic risk
Overview
This appears to be a legitimate knowledge-search skill, but it needs Review because it can search private services and persist local files, notes, and query history with limited scoping and retention controls.
Install only if you trust the publisher and need broad knowledge aggregation. Use least-privilege tokens limited to specific workspaces, channels, pages, or repositories where possible; avoid indexing home directories, secret-bearing folders, personal notes, or confidential repositories; review and periodically delete the local data directory; and be careful that search terms may be sent directly to configured external services.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)
Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 93% confidence
- Finding
- 技能描述虽然强调“跨平台知识搜索聚合”,但实际行为还包括本地文件索引、删除索引、主题监控、报告导出、反馈学习和统计分析等更广泛的数据处理与持久化能力。功能范围扩张会让用户在未充分知情的情况下触发本地数据扫描、长期监控或文件写入,特别是在处理内部知识源时更具隐私和安全风险。
Description-Behavior Mismatch
Medium
- Confidence
- 89% confidence
- Finding
- The stats action reads local usage and subscription metadata and returns subscription tier, daily limits, and remaining quota, which goes beyond pure search-report export functionality. In a multi-tenant, agent, or shared runtime context, exposing billing or entitlement state can leak sensitive account information and enable profiling of the user or environment.
Vague Triggers
Medium
- Confidence
- 88% confidence
- Finding
- “搜索”“查找”“搜一下”以及“提出技术问题时”这类触发条件过于宽泛,可能在普通对话中误触发跨平台搜索流程。误触发后,用户输入可能被发送到外部平台或触发本地索引查询,造成不必要的数据暴露和资源消耗。
Vague Triggers
Medium
- Confidence
- 86% confidence
- Finding
- “导出”“生成报告”“保存结果”等表达在日常对话中很常见,可能导致意外执行文件写入操作。若输出路径或结果内容包含敏感信息,误导出会带来数据落盘、覆盖文件或在共享环境中泄露内容的风险。
Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- 技能支持建立本地索引、重建、删除索引及导出报告,但未明确提示这些操作会读取哪些目录、写入哪些位置、是否会覆盖已有文件或影响本地数据。对于包含源码、内部文档或个人笔记的目录,这会放大误操作和敏感信息落盘的风险。
Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- 该技能会向 GitHub、Stack Overflow、Discord、Confluence、Notion、Slack、百度等外部服务发送查询,还可能对内部知识源进行监控与聚合,但未充分说明哪些用户输入、内部文档信息或元数据会被外发。若用户误用包含内部项目名、机密术语或私人笔记内容的查询,可能导致隐私泄露或合规问题。
Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The README advertises local indexing of user files and Obsidian vault content but does not clearly warn that sensitive local data may be scanned, tokenized, stored in an index, and potentially surfaced in search results or synthesized reports. In a skill that aggregates knowledge across many sources, users may underestimate the privacy implications and accidentally expose secrets, private notes, credentials, or proprietary code through indexing or later export actions.
Missing User Warnings
Low
- Confidence
- 78% confidence
- Finding
- The README promotes topic monitoring and digest generation without warning that this may trigger recurring external queries and ongoing collection of search results or notifications. That omission can cause users to enable background monitoring without understanding the operational, privacy, or rate-limit implications across connected services.
Missing User Warnings
Medium
- Confidence
- 90% confidence
- Finding
- The index action reads contents from user-specified local paths, tokenizes them, and persists searchable metadata and term postings without any explicit consent, warning, or path-scope restriction. In an agent context, this can lead to unintended collection and long-term storage of sensitive local data from documents, source trees, configs, or notes, especially because the skill description emphasizes knowledge aggregation rather than local data harvesting.
Missing User Warnings
Medium
- Confidence
- 78% confidence
- Finding
- The rebuild operation wipes persisted index state and recreates it from remembered file paths without an explicit destructive-operation warning or confirmation step. In an agent-driven workflow, a mistaken or induced rebuild can silently discard prior index state and re-scan local files, causing both data-loss of application state and renewed collection of sensitive content.
Missing User Warnings
Medium
- Confidence
- 88% confidence
- Finding
- The module persistently stores raw search queries, click history, and feedback to disk, which can expose sensitive user interests, internal project terms, credentials accidentally pasted into queries, or other behavioral metadata if the local data store is accessed by other users, logs, backups, or compromised components. In a cross-platform enterprise knowledge aggregator spanning GitHub, Slack, Confluence, Notion, and Discord, this telemetry can reveal highly sensitive organizational activity even without direct code execution.
Missing User Warnings
Medium
- Confidence
- 93% confidence
- Finding
- The index operation persists note-derived data to a local JSON file, including absolute file paths, tags, frontmatter, token samples, modification times, and content previews. For a knowledge aggregation skill handling potentially sensitive personal or organizational Obsidian vaults, storing this metadata without explicit notice, consent, retention controls, or minimization creates a real privacy/security risk if the local data directory is later accessed by another user, process, backup system, or companion component.
Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The sync path rewrites and retains the local index based on vault contents, continuing persistence of note-derived information across runs without any user-facing reminder or lifecycle control. In this skill's context, the danger is elevated because Obsidian vaults often contain private notes, internal documentation, credentials fragments, or project data, so silent long-term retention broadens exposure beyond the original files.
Missing User Warnings
Medium
- Confidence
- 87% confidence
- Finding
- User search queries are sent to multiple third-party services based on configured sources, and the action layer does not provide an explicit disclosure or consent gate before transmitting potentially sensitive terms. In a knowledge-aggregation skill, queries may contain internal project names, secrets, incident details, or personal data, so silent transmission expands privacy and confidentiality risk.
Missing User Warnings
Low
- Confidence
- 81% confidence
- Finding
- The connection-test action actively contacts external APIs using configured credentials without an explicit warning that credentials will be exercised against third-party endpoints. While this is expected for a connectivity test, the lack of disclosure can surprise users and may leak metadata such as account existence or token validity to external services.
External Transmission
Medium
- Category
- Data Exfiltration
- Content
| **获取问题详情** | `GET /questions/{ids}?site=stackoverflow&filter=withbody` | | **认证方式** | 查询参数 `key={KM_STACKOVERFLOW_KEY}` | | **速率限制** | 无 Key 300 次/天,有 Key 10,000 次/天 | | **文档** | https://api.stackexchange.com/docs | > 注意:响应数据经过 gzip 压缩,urllib 会自动处理。- Confidence
- 84% confidence
- Finding
- https://api.stackexchange.com/
VirusTotal
63/63 vendors flagged this skill as clean.