Back to skill

Security audit

Customer Logo Wall Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it needs Review because it can overwrite business files and replace logo assets while sending customer/company data to public web services.

Install only if you are comfortable sending customer or company names to public search engines and allowing local business files to be modified. Back up the workbook first, avoid confidential customer lists unless external lookup is approved, review generated filenames and logo sources, and prefer requiring confirmation before overwriting Excel files or replacing downloaded assets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        tmp_svg = svg_path + '.svg'
        shutil.copy2(svg_path, tmp_svg)
        result = subprocess.run(
            ['qlmanage', '-t', '-s', str(size), '-o', '/tmp/', tmp_svg],
            capture_output=True, text=True, timeout=15
        )
Confidence
81% confidence
Finding
result = subprocess.run( ['qlmanage', '-t', '-s', str(size), '-o', '/tmp/', tmp_svg], capture_output=True, text=True, timeout=15 )

Tainted flow: 'AGENT_BROWSER' from os.environ.get (line 45, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
for query in queries:
        url = f"https://image.baidu.com/search/index?tn=baiduimage&word={urllib.parse.quote(query)}"
        subprocess.run([AGENT_BROWSER, 'open', url], capture_output=True, env=env)
        time.sleep(3)

        js = "JSON.stringify([...document.querySelectorAll('[data-objurl]')].map(e=>e.getAttribute('data-objurl')).filter(u=>u&&u.startsWith('http')).slice(0,8))"
Confidence
98% confidence
Finding
subprocess.run([AGENT_BROWSER, 'open', url], capture_output=True, env=env)

Tainted flow: 'AGENT_BROWSER' from os.environ.get (line 45, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
time.sleep(3)

        js = "JSON.stringify([...document.querySelectorAll('[data-objurl]')].map(e=>e.getAttribute('data-objurl')).filter(u=>u&&u.startsWith('http')).slice(0,8))"
        out = subprocess.run([AGENT_BROWSER, 'eval', js], capture_output=True, text=True, env=env).stdout

        import re
        raw_urls = re.findall(r'https?://[^\\"]+', out)
Confidence
98% confidence
Finding
out = subprocess.run([AGENT_BROWSER, 'eval', js], capture_output=True, text=True, env=env).stdout

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill requires broad capabilities including environment access, file read/write, network access, and shell execution, yet it declares no permissions or capability boundaries. This creates a confused-deputy risk where users and the platform cannot accurately assess what the skill may do, especially since it modifies local files and performs external network retrievals.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose suggests spreadsheet processing and PPT generation, but the documented behavior also includes browser automation, external scraping, logo downloading, OCR analysis, format conversion, and repeated online retries. This mismatch is dangerous because it conceals the true operational scope, increasing the chance that users expose company data to third parties or allow broader actions than they intended.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
A script presented as 'verification' also performs network search and automatic redownload of files from the public internet. In this skill context, that is more dangerous because users may expect passive validation, but the script actively fetches and overwrites local assets with remote content from search results of uncertain provenance.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script delegates browsing and DOM evaluation to an external executable selected via environment configuration. In an automation/agent skill, this expands the trust boundary significantly: anyone controlling deployment configuration can swap in a malicious binary that receives inherited environment variables and executes arbitrary actions.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
TLS hostname and certificate verification are explicitly disabled for logo downloads, allowing man-in-the-middle attackers to intercept connections and supply arbitrary image content. Because the script writes downloaded data directly into the working logos directory, this can poison assets and undermine any trust in the verification workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs overwriting the user's original Excel file and frames this as mandatory, but does not require confirmation, backup creation, or safe-save behavior. This is a destructive operation that can corrupt source data, break formulas or formatting, and cause irreversible loss if the write process fails or the inserted column is incorrect.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill sends company identifiers and related queries to Baidu, Bing, and company websites to discover names and logos, but it does not clearly warn users that spreadsheet-derived data will be transmitted to external services. In enterprise contexts, even customer names or prospect lists may be sensitive commercial information, so silent network disclosure creates privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Disabling TLS verification without warning users hides a meaningful reduction in transport security. In this context, users may assume downloaded logos come from authentic servers, when in fact the channel is unauthenticated and susceptible to tampering.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Automatic redownload writes remote content into the logos directory with no explicit user warning at the point of use. In a content-processing skill, silent overwrite of local assets from search-engine results can introduce integrity issues and unsafe or incorrect branding materials into downstream PPT generation.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.