Back to skill

Security audit

hubstudio

Security checks across malware telemetry and agentic risk

Overview

This skill is openly a HubStudio automation wrapper, but it gives agents broad control over browsers, cloud phones, cookies, accounts, files, and shell execution without enough scoping or confirmation safeguards.

Install only if you intentionally want an agent to operate HubStudio resources, not just read API docs. Use a test HubStudio account first, avoid testAll on production, and require explicit human review before shell execution, ADB, cookie export/import, file upload, account changes, cache clearing, delete, or stop-all operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (45)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file materially expands the skill from OpenAPI lookup/validation into operational guidance for enabling ADB, connecting to remote devices, authenticating, and executing device-control commands. That capability mismatch is dangerous because users may trust the declared skill scope while being guided into powerful remote-access workflows that expose devices and credentials beyond the intended API-documentation purpose.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guide introduces SSH tunneling and direct device-management steps that enable remote access paths to cloud phones, which is substantially more sensitive than API schema lookup or payload validation. In this context, tunneling instructions lower the barrier to establishing privileged connectivity and can facilitate unauthorized device access or post-compromise persistence if misused.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file is a full operational tutorial for browser automation, web scraping, starting/stopping local browser environments, and writing local files, which materially exceeds the stated purpose of an OpenAPI lookup/validation skill. This kind of scope expansion creates dangerous capability confusion: users may trust and run automation that interacts with external websites and local state under the guise of a documentation skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The tutorial explicitly frames arbitrary website automation and content extraction as normal usage, despite the skill being described as an OpenAPI reference tool. In context, that mismatch is risky because it normalizes unrelated remote interaction and scraping capabilities that could be repurposed for data collection or misleading users about what the skill is allowed to do.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is described as an OpenAPI lookup/explanation/validation tool, but the command manifest exposes dozens of live operational endpoints that create, delete, modify, start, stop, upload, and otherwise control HubStudio resources. This mismatch is dangerous because an agent or user expecting read-only documentation assistance could instead trigger real-world side effects across cloud phones, browser environments, accounts, and groups.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The manifest includes an endpoint explicitly labeled for shell command execution (`/api/v1/cloud-mobile/exe-command`), which is far beyond API lookup or validation. Exposing command execution through an agent skill can enable arbitrary actions on managed cloud devices, including persistence, data access, destructive changes, or use as a pivot for further compromise.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill exposes file upload operations, including public URL-based upload and local file upload to cloud phones, even though its stated purpose is documentation lookup and parameter validation. This creates a pathway for unreviewed content transfer into managed devices, which can be abused to stage payloads, move sensitive data, or alter device state under the guise of a supposedly informational skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The manifest grants broad control over browser environments, environment lifecycle, cookies, proxies, accounts, groups, caches, and other sensitive objects, none of which is justified by the limited OpenAPI assistance description. In context, this is especially risky because users may authorize or invoke the skill assuming it is passive documentation tooling when it actually has powerful administrative reach.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata presents this as a lookup/validation tool, but the implementation is an active CLI that performs live POST requests to operational HubStudio endpoints such as browser creation, start, stop, foreground, and arrange. This mismatch is dangerous because users or higher-level agents may invoke it expecting read-only analysis, but it can directly modify local or remote browser environments and trigger unintended side effects.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The testAll feature iterates through every generated command, sends POST requests to each endpoint, and writes a report to disk. In a skill advertised for API lookup and validation, this creates unexpected active behavior that can trigger broad side effects across the HubStudio service, especially if generated commands include mutating or destructive endpoints.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says it is for OpenAPI lookup, field explanation, and validation, but the exposed spec includes numerous operational endpoints that can create, delete, power on/off, reconfigure, and control cloud phones, browser environments, accounts, and groups. This mismatch materially expands the agent’s effective authority beyond documentation assistance, creating a confused-deputy risk where a user or downstream tool may invoke destructive or high-impact actions under the guise of a read-only reference skill.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The `/api/v1/cloud-mobile/exe-command` endpoint allows arbitrary shell command execution on a cloud phone, which is far outside the stated purpose of OpenAPI lookup and validation. In an agent setting, exposing command execution through a seemingly informational skill can enable remote code execution, data destruction, persistence, or lateral abuse of managed devices.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill exposes cookie export and related sensitive session-data handling capabilities that are unrelated to documentation lookup. Exporting cookies can disclose live authenticated session material, enabling account hijacking or impersonation if an agent, prompt injection, or unauthorized caller can access these endpoints.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The browser endpoints can start, stop, foreground, arrange, and otherwise control local browser environments exposed on `127.0.0.1`, which is not justified by a documentation-analysis use case. This greatly increases the blast radius of the skill by granting local-host and automation control that can be abused to manipulate sessions, expose debugging ports, or interfere with the operator’s workstation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill is described as an OpenAPI lookup and schema/parameter explanation tool, but its lockfile includes Playwright, a full browser automation framework. This creates unnecessary attack surface and capability expansion: browser automation can fetch arbitrary web content, execute JavaScript in pages, and interact with external sites, which is not needed for static OpenAPI analysis and can enable data exfiltration, SSRF-like access paths, or unintended remote interactions if the skill or its runtime invokes it.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements live browser automation, web search, third-party navigation, and content scraping despite the skill being described as an OpenAPI lookup and validation tool. This creates an unnecessary execution surface that can access external content and perform side effects unrelated to the declared purpose, increasing the chance of misuse, data exposure, or unexpected agent behavior.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script builds a shell command with interpolated arguments and executes it via execSync to control an external browser environment. Even if the current inputs are limited, invoking shell commands from a skill that should only inspect OpenAPI specs is dangerous because it enables command execution and external environment control beyond the declared scope.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill performs networked browser automation against Baidu and then visits whichever landing page appears first in search results, which is arbitrary external content. In the context of an OpenAPI-analysis skill, this is especially risky because it gives the skill undeclared web-browsing capability that can be abused for tracking, exfiltration, or interaction with untrusted sites.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The script writes a report file to the local filesystem, which is a side effect not described by the skill's OpenAPI lookup/validation purpose. While the write itself is limited, undeclared file output can leak scraped data, clutter the host environment, and become more dangerous when combined with arbitrary browsing and content collection.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is presented as a lookup/validation reference, but the documented API surface includes many state-changing operations such as deletion, credential updates, browser control, cache clearing, cookie import/export, and cloud-phone actions. This capability mismatch is dangerous because an agent or user may trust the skill as read-only documentation while it actually enables powerful mutating operations with operational and data-loss consequences.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The documented `/api/v1/cloud-mobile/exe-command` endpoint allows arbitrary shell command execution on cloud phones, which is a highly privileged remote-execution capability. In a skill marketed for endpoint lookup and payload validation, this is especially dangerous because it conceals an RCE-like control surface behind an apparently informational context.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The browser control endpoints can start/stop environments and expose debugging ports and WebDriver paths that facilitate automation and deep browser manipulation. That is materially more powerful than simple API reference behavior and can enable account/session abuse, scraping, or unauthorized automation if an agent is over-trusted.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
This endpoint is inconsistently documented: the summary says it sends SMS to a cloud phone, while the description claims it modifies phone metadata. Documentation inconsistencies around side effects can mislead agents and users into invoking unintended actions, especially where messaging or device manipulation is involved.

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
The team-app creation endpoint is described using text for querying installed app lists, indicating copy/paste or specification drift. Such mismatches increase the chance that an agent will perform a write operation while believing it is only reading data, which is a meaningful safety issue in an operational skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The command list includes operations such as package installation/uninstallation and reboot without any warning, confirmation, or scope limitation. Even as documentation, this can normalize potentially destructive actions and lead users or downstream agents to alter, disrupt, or brick workflows on connected devices without understanding consequences.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.destructive_delete_command, suspicious.env_credential_access (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
playwright_hubstudio_baidu_demo.js:11

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
README.md:181

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
hubstudio.js:8

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
commands.generated.json:2