Security audit

Qirabot

Security checks across malware telemetry and agentic risk

Overview

This is a coherent GUI automation skill, but users should treat it like a remote UI automation service that can see and act on whatever screen or session they give it.

Install only if you are comfortable giving Qirabot-driven automation access to the target app or browser session. Avoid using it on screens with secrets or regulated data, keep recording off unless needed, review generated reports before sharing them, and require explicit confirmation before purchases, posts, deletions, or actions in a logged-in account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to run shell commands and use environment secrets such as `QIRA_API_KEY`, but it declares no permissions. This creates a permission-model mismatch: an agent or platform may invoke the skill without surfacing to users that it can execute commands or access sensitive environment state, increasing the risk of unintended command execution or secret exposure.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger language is extremely broad (`automate a website or app`, `fill a form`, `scrape a page`, `tap or click a button`) and overlaps with many common requests. That makes accidental or overly eager invocation more likely, which is risky here because the skill can drive GUIs, run shell setup commands, and automate external actions under the user's identity.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The reference explicitly documents optional recording of the host machine's screen, which can unintentionally capture unrelated windows, notifications, credentials, tokens, PII, or other sensitive data visible on the operator's desktop. In a GUI automation skill, this is more dangerous because users are likely to run it during authenticated sessions and the resulting report artifacts may be stored, shared, or retained without realizing their sensitivity.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation says `bot.ai` runs the perceive-decide-act loop on the vendor backend and manages step history server-side, but it does not clearly warn that screenshots, step history, task instructions, and possibly sensitive UI contents are transmitted to a remote service. In this skill context, that omission is significant because the tool is designed to automate real applications, including authenticated websites and apps, so remote processing may expose business data, credentials, or regulated content to third-party infrastructure.

Env Variable Harvesting

High

Category: Data Exfiltration
Content: "pyautogui (whole-screen) is fine on any 3.10+; only the airtest path pins numpy<2.") # 2. API key has_key = bool(os.environ.get("QIRA_API_KEY")) line(OK if has_key else NO, "QIRA_API_KEY is set", "" if has_key else "Get a key at https://app.qirabot.com, then: export QIRA_API_KEY=qk_...") hard_ok = hard_ok and has_key
Confidence: 70% confidence
Finding: os.environ.get("QIRA_API_KEY

Unvalidated Output Injection

High

Category: Output Handling
Content: hard_ok = hard_ok and bool(adb) if adb: try: out = subprocess.run([adb, "devices"], capture_output=True, text=True, timeout=10).stdout devs = [ln for ln in out.splitlines()[1:] if ln.strip() and "\tdevice" in ln] line(OK if devs else NO, f"Android device connected ({len(devs)})",
Confidence: 95% confidence
Finding: subprocess.run([adb, "devices"], capture_output

Session Persistence

Medium

Category: Rogue Agent
Content: **Keep the task string a concise goal, not a step-by-step script.** `bot.ai` is smart enough to plan its own clicks — over-specifying ("click Search, then type X, then click the first result, then…") fights the model, locks in a brittle path, and burns extra steps. Write what success looks like, not how to get there. Good: `"Add the cheapest in-stock item to the cart and check out"`. Bad: a 6-step click-by-click recipe.
Confidence: 89% confidence
Finding: Write what success looks like, not how to get there. Good: `"Add the cheapest in-stock item to the cart and check out"`. Bad: a 6-step click-by-click recipe. The examples here pass the target explici

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal