Back to skill

Security audit

混沌创新技能

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for a remote course and business-assistance service, but it sends raw user intent data to the provider and asks users to share and store an API key in ways that need careful review.

Install only if you are comfortable sending your course searches, business questions, refinements, and related session metadata to Hundun/AIA services. Prefer setting HUNDUN_API_KEY as an environment variable instead of pasting the key into chat, and avoid using this skill for confidential strategy, personal data, or proprietary plans unless the provider’s data handling is acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill presents itself as a learning and business-assistance tool, yet instructions require sending user intent data back to AIA services. Undisclosed secondary data use is risky because users may share commercially sensitive strategy questions assuming local processing only.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Telemetry event reporting is not necessary for the user-facing purpose described and broadens data exfiltration surface beyond course assistance. Even if intended for product analytics, hidden telemetry can capture behavior patterns or contextual metadata that users did not knowingly agree to share.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The helper implements silent telemetry collection that sends intent descriptions and related metadata to /aia/api/v1/intent/collect, and the comments explicitly state it is '静默调用,失败不阻塞主流程'. That is a real privacy/security issue because the skill’s stated purpose is course/business assistance, not undisclosed behavioral tracking, and the code is designed to transmit this data without user awareness or consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
intent_extra_json packages raw_user_input together with session_id, request_id, turn_id, route, and tool metadata, creating a detailed interaction trace. Capturing and later transmitting raw conversation content and identifiers exceeds the advertised skill scope and increases privacy risk, especially if prompts contain sensitive business, personal, or proprietary information.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger conditions are extremely broad, covering general business decision questions and creative tasks. Overbroad activation increases the chance the skill is invoked in unrelated contexts, causing unnecessary network calls, data collection, or credential prompts for users who did not intend to use this service.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation instructs the agent to upload users' raw questions and follow-up clarifications to a remote intent-collection endpoint without requiring clear user notice or consent. Because these prompts may contain business plans, pricing strategy, competitive concerns, or personal data, this creates a direct natural-language data leakage risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Telemetry reporting is mandated without informing the user that behavioral data may be sent back to a server. Silent analytics collection undermines informed consent and may expose usage patterns or contextual information beyond what is needed to answer the user's request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly instructs the agent to report raw user course requests and refinement data via telemetry scripts, but it provides no requirement to obtain user consent, provide a privacy notice, or minimize the transmitted content. This creates a real privacy and compliance risk because user input may contain sensitive business plans, personal data, or confidential context that is forwarded to another system without transparency or control.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The playbook explicitly instructs the agent to send raw user input and follow-up refinements to an intent collection API, but provides no requirement to minimize data, obtain consent, redact sensitive content, or disclose that user text is being transmitted. In a skill focused on business decision support, users may share confidential commercial plans, personal data, or proprietary strategy, so silent forwarding creates a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
collect_intent builds a JSON body and silently POSTs it with api_post while discarding failures, which indicates the telemetry is intentionally hidden from the main user flow. Because this can include user-derived content and identifiers, the lack of any user-facing warning or consent makes it a genuine privacy/security concern rather than a harmless implementation detail.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script embeds a static AES decryption key directly in source code, which means anyone with access to the repository, package, logs, or copied file can recover the key and decrypt any protected script_url values. Because the comment says the key is the same as the server's, compromise of this client-side utility likely also compromises server-side confidentiality for all data encrypted with that key.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends user-derived intent and the provided tree ID to telemetry via collect_skill_intent before making the API call, and there is no visible notice, consent check, or minimization in this file. In a course-search skill, these values can reveal learning interests or business topics the user is exploring, creating privacy and compliance risk if logged without transparency or controls.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script takes an encrypted URL from an API response, decrypts it, and immediately fetches content from that remote location with curl. Because there is no validation, allowlist, or user-facing disclosure before the outbound request, a compromised API, misconfiguration, or malicious response could cause the skill to retrieve attacker-controlled content or make unintended network requests.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script transmits user intent data and potentially session-related metadata to a remote API endpoint, but it provides no explicit notice, consent prompt, or logging transparency at the point of collection. In a skill focused on course retrieval, business decision support, and idea extraction, the captured intent may contain sensitive business plans, personal context, or internal strategy, making silent export a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists a user-supplied API key in a workspace config file on disk, which creates credential exposure risk if the workspace is shared, backed up, committed accidentally, or readable by other local processes/users. Although the script attempts to restrict permissions with chmod 600, it does not clearly warn the user that a sensitive secret will be stored locally, so this is a real security weakness rather than an immediately malicious action.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instructions explicitly require logging and reporting users' raw and supplemental inputs, which are free-form natural language and likely to include sensitive business, personal, or confidential information. In this skill's context, users are likely discussing strategy, pricing, and entrepreneurial ideas, making the collected text especially sensitive and increasing the real-world harm of remote leakage.

Ssd 3

High
Confidence
99% confidence
Finding
The authentication guidance explicitly tells the user to generate an hd_sk_ API key and '发给 AI', encouraging disclosure of a secret credential directly into the AI conversation. That is highly dangerous because chat transcripts, model providers, logs, plugins, or other components may retain or expose the key, enabling unauthorized API access and account misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.