RiskShield案件审批自动化

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated goal of automating RiskShield approvals, but it ships reusable credentials, a saved token, and many debug/API scripts that can access or change sensitive case data.

Do not install this as-is unless you own the RiskShield environment and have rotated the exposed credentials and token. Require per-user or securely injected least-privilege credentials, remove token.json and debug/extraction scripts, disable TLS bypasses, and ensure approvals are logged, reversible where possible, and limited to explicitly requested cases.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (322)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill declares browser automation behavior but the analysis indicates network-capable code without corresponding permission declarations. Hidden or undeclared network access reduces transparency and prevents proper review of what external systems the skill contacts, especially in a workflow that can authenticate and submit decisions to a remote service.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: This is a significant description-behavior mismatch: the skill presents itself as Playwright-based browser automation, but static analysis says it also performs direct backend API calls, token persistence, data extraction, and includes additional debugging and inspection capabilities. That gap is dangerous because users may grant trust based on the declared purpose while the code can access, persist, and manipulate far more data and functionality than expected.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The documentation exposes hardcoded credentials for an external system, which is a direct secret disclosure. Anyone with access to the skill can reuse those credentials to log in, query cases, or perform approval actions, leading to unauthorized access and potentially fraudulent or destructive case handling.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The script embeds plaintext credentials and uses them to log into a production-like web system and perform unattended approval actions. In this approval-automation context, that is dangerous because anyone with code access can reuse the credentials, and the misleading header downplays the fact that the script can autonomously authenticate and approve cases.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script hardcodes valid-looking RiskShield login credentials directly in source and uses them automatically to access a production-like system. This is dangerous because anyone with access to the skill or logs can reuse the credentials for unauthorized access, and the skill context is especially sensitive because it automates case approval decisions in a financial/risk workflow.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script contains hardcoded username/password credentials and uses them for direct API and browser login, which exposes secrets to anyone with source access and enables unauthorized access if the file is copied, logged, or leaked. In an approval automation skill, these credentials can be abused to impersonate an approver and perform sensitive case actions outside normal user-mediated controls.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script contains hardcoded RiskShield credentials and uses them to authenticate automatically. Embedded credentials can be extracted by anyone with access to the skill, enable unauthorized access to the approval system, and are especially dangerous here because the script can directly approve or refuse cases.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The browser context is created with ignoreHTTPSErrors: true, which suppresses TLS certificate validation and allows the automation to proceed against endpoints with invalid or intercepted certificates. This weakens transport security and creates a realistic man-in-the-middle risk during login and approval operations, including exposure of credentials and session data.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script persists authentication material to a local token.json file and also writes screenshots to /tmp, creating unnecessary local data exposure for a browser-automation approval tool. Tokens and screenshots can contain session secrets, case identifiers, and sensitive approval data, and any other local user, process, or later compromise could harvest them.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script contains hard-coded RiskShield credentials and uses them to authenticate automatically. Embedding reusable production-like credentials in code is dangerous because anyone with access to the skill or repository can recover them and gain unauthorized access to the approval system, enabling case review or action under that account.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script contains hard-coded production-like login credentials and uses them to authenticate automatically into an approval system. Embedding credentials in code is dangerous because anyone with access to the skill or logs can reuse them to access the system and perform sensitive case actions outside intended controls.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The script behavior materially exceeds the stated skill purpose of approval automation: it performs credentialed login, page inspection, broad content collection, and exploratory searching. In an agent skill, this capability mismatch is dangerous because it can hide unauthorized reconnaissance or data access behind an apparently routine approval workflow.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script captures a screenshot, reads full body text, and enumerates UI inputs, which are broad data-extraction and reconnaissance actions unrelated to simply approving or refusing a case. In a case-management context, these behaviors can expose sensitive case data, credentials-adjacent UI metadata, or internal workflow details, making the skill more dangerous than its description suggests.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script performs a full authenticated login with a hardcoded approval account just to check case status, expanding access beyond the advertised approval-only scope. This creates unnecessary privilege use and enables anyone with the code to access the remote system as that account, increasing the blast radius if the script is copied, leaked, or repurposed.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code contains plaintext service credentials directly in source, which is a direct secret exposure vulnerability. Anyone with repository, package, log, or artifact access can recover the username and password and use them to log into the RiskShield environment, potentially performing unauthorized reads or approvals depending on account privileges.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script contains hardcoded RiskShield credentials and automatically uses them to log into a live approval system. Embedded secrets are easily leaked via source control, logs, screenshots, or reuse by anyone with code access, enabling unauthorized access to sensitive case and approval data.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The script saves a screenshot of an approval page to a fixed local filesystem path, which can persist sensitive case information outside the application’s access controls. On a shared workstation or synced home directory, this may expose regulated or internal approval data to unauthorized users or backup systems.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script contains hardcoded credentials and uses them to authenticate into a live-seeming RiskShield environment. Embedded secrets in source code are easily leaked through repositories, logs, or artifact sharing, enabling unauthorized access to approval systems and downstream business actions.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The script saves a screenshot from an approval page to a fixed local filesystem path under a user directory. Approval screens can contain sensitive case, customer, or decision data, and writing them to disk without access controls or disclosure increases the chance of unintended retention and local data exposure.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script contains hard-coded credentials and uses them to authenticate to a real external RiskShield environment, then access case approval functionality. In an approval-automation skill, embedded secrets are especially dangerous because anyone with code access can reuse the account to view or act on sensitive cases, and the script is capable of reaching decision workflows.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script embeds plaintext credentials and uses them to authenticate to a live RiskShield environment. Hard-coded secrets are a real security vulnerability because they can be extracted from source control, logs, or artifact bundles and then reused for unauthorized access; in this case, the skill’s approval-automation context makes this especially sensitive because the account likely has access to case data and approval actions.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The debug logic captures screenshots and dumps authenticated page content for inspection, which can expose sensitive case information, internal UI state, or tokens to local files and logs. In an approval system, even 'debug' artifacts may contain regulated or confidential operational data, so collecting them outside a controlled need-to-know workflow expands the attack surface.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script contains hard-coded credentials and uses them to log into a live RiskShield environment. Embedding reusable usernames and passwords in source code is dangerous because anyone with repository or artifact access can recover them and gain unauthorized access, and in this case the credential is directly tied to an approval workflow.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script hardcodes valid-looking credentials and uses them to log into a production-like RiskShield environment. Embedded secrets in source code are dangerous because anyone with repository or package access can reuse them for unauthorized access, and this capability is broader than the skill's stated approval automation purpose. In this context, an approval automation skill operating on case data makes credential exposure especially sensitive because it may grant access to regulated or personal information.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The script captures a screenshot after authenticating into the application and writes it to local storage, which can preserve sensitive case data, user identifiers, or internal UI state. For an approval-focused skill, retaining debug artifacts is not necessary for core function and increases the risk of unintended data disclosure if the host, logs, or temp directories are accessible.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal