Back to skill

Security audit

wx-skill-caller

Security checks across malware telemetry and agentic risk

Overview

This skill openly forwards raw user messages to a third-party API, but its routing is broad enough to capture ordinary chat without a clear per-message consent or scoping control.

Review before installing. Only enable this skill if users understand that ordinary chat text may be sent to the listed third-party backend. Do not use it for secrets, credentials, private business data, or personal information unless the backend’s retention and security practices are trusted. Prefer a version with explicit opt-in routing, narrower triggers, and redaction or confirmation before forwarding messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill performs outbound network access to a third-party backend but does not declare that capability in permissions/metadata. Hidden or undeclared network behavior weakens platform trust boundaries and can cause users or reviewers to underestimate that their prompts are being transmitted externally.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger scope is extremely broad, covering general chat, help, open-ended questions, and most Chinese-language input, which makes this skill likely to intercept ordinary user requests by default. Because the skill forwards raw user content to an external API, overbroad routing materially increases the chance of unnecessary data exfiltration and bypasses more transparent first-party handling.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs sending the user's raw message content to a backend API and returning the response, but provides no user-facing warning or consent mechanism. This is dangerous because arbitrary prompts may contain personal, confidential, or security-sensitive data that would be silently disclosed to an external system.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill says Chinese-language questions should preferentially be routed to the backend service, creating language-based steering without user opt-in. In context, this is more dangerous because it systematically diverts a broad class of routine messages to an external endpoint, creating unequal and potentially unexpected data exposure for Chinese-speaking users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends raw user-provided content directly to an external third-party API endpoint without any consent prompt, disclosure, minimization, or validation. In the context of an agent skill described as the default handler for general user messages, this creates a meaningful privacy and data-exfiltration risk because users may provide sensitive personal, confidential, or security-relevant content that is automatically forwarded off-platform.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.