Back to skill

Security audit

geo-quickhook

Security checks across malware telemetry and agentic risk

Overview

This sales-report skill has a coherent purpose, but it uses overbroad sharing and misleading report claims that users should review before installing.

Install only after reviewing the workflow. Use an approved, scoped LLM API key, avoid confidential customer data unless external processing is allowed, disable or replace the Desktop-wide HTTP server flow, require explicit confirmation before Feishu delivery, and do not rely on the default “5 engine” claims unless separate real providers are configured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions, yet its instructions clearly rely on environment variables, file creation on the Desktop, local HTTP serving, process control, and outbound delivery steps. This mismatch is dangerous because users and hosting systems cannot accurately assess or constrain what the skill will access and do, increasing the chance of unauthorized file handling or secret exposure.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
Starting a local HTTP server and using browser automation to open and screenshot files increases the attack surface and exposes generated reports over a network-accessible interface, even if bound to localhost by default. This operational chain is unnecessary for basic analysis and can create unintended access paths, residual processes, or leakage of sensitive report content.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
Starting a local HTTP server and using browser automation to open and screenshot files increases the attack surface and exposes generated reports over a network-accessible interface, even if bound to localhost by default. This operational chain is unnecessary for basic analysis and can create unintended access paths, residual processes, or leakage of sensitive report content.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code labels five different 'engines' but configures all of them to use the same API key, base URL, and model, so the report materially misrepresents the source and diversity of the data. In this skill's sales context, that deception is especially risky because the generated output is explicitly designed to create urgency and pressure customers into signing, making the falsified multi-engine claim security-relevant as an integrity and social-engineering issue.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The HTML report asserts that the data comes from 'real Q&A' and '5 major AI engines' even though the implementation can route everything through one OpenAI-compatible backend. Because the skill is explicitly intended to '制造焦虑触发签约' ('create anxiety to trigger signing'), this misleading language amplifies the chance of deceptive downstream use against customers.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger phrases are broad and overlap with normal sales or analysis conversation, making accidental invocation more likely. In this skill, accidental triggering is more concerning because execution can lead to script execution, report generation, local hosting, and external delivery steps rather than a harmless text response.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill description does not warn users that it will expose report files through a local HTTP server and send screenshots externally via Feishu. Lack of disclosure undermines informed consent and increases the risk that sensitive client, competitor, or internal sales information is shared outside the expected environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends user-supplied brand, competitor, and keyword data to an external LLM API during question generation and analysis without an explicit runtime disclosure or consent step. That can expose commercially sensitive prospecting data to third-party services, and the pre-sales context increases sensitivity because brands, competitors, and signing-related keywords may be confidential business intelligence.

External Transmission

Medium
Category
Data Exfiltration
Content
**Environment variables must be set in advance**:
```bash
export LLM_API_KEY="your-api-key-here"
export LLM_BASE_URL="https://api.openai.com/v1"
export LLM_MODEL="gpt-4o"
```
Confidence
74% confidence
Finding
https://api.openai.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.