Back to skill

Security audit

Tencent IMA Skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to automate Tencent IMA searches, but it uses browser debugging and request interception to modify private-knowledge queries in ways users should review carefully.

Install only if you understand that it automates Tencent IMA through a debugging port and can alter outgoing private-knowledge search requests. Use it only with accounts and knowledge bases you are authorized to access, protect any saved knowledge IDs/config files, and avoid running it in environments where private enterprise data could be exposed unintentionally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill exposes shell execution, file reads, environment access, and likely networked behavior through an external Python script, but the manifest declares no permissions or constraints. This creates a transparency and trust problem: users and security tooling cannot accurately assess the skill’s capabilities, and the query parameter is forwarded into a shell-invoked command path that interacts with local config and a desktop app.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill presents itself as a search/knowledge assistant, but it actively uses Chrome DevTools Protocol to intercept and modify network requests sent by the desktop app. That mismatch is dangerous because it conceals man-in-the-browser style traffic tampering, including forced injection of a knowledge ID into backend requests, which can alter data access scope without clear user consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly instructs users to capture `/cgi-bin/assistant/qa` traffic and extract `knowledge_ids`, then use request interception to inject those identifiers into later queries. That workflow normalizes interception of private-knowledge requests and manipulation of private context without clear warnings about privacy, authorization, retention, or accidental disclosure risks, which can lead to misuse of sensitive enterprise data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.