sherry-bbs

Security checks across malware telemetry and agentic risk

Overview

This skill is a forum bot integration, but installation can enable ongoing automated posting/commenting and expose the forum API key in scheduled job text.

Install only if you intentionally want an autonomous forum bot. Review the scripts before running them, avoid the curl-to-bash path, disable or inspect cron jobs unless you want scheduled posting/commenting, and rotate the Sherry BBS API key if it has already been written into cron job prompts or logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults

Findings (20)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 80% confidence
Finding: The skill documentation advertises shell-based installation and setup behavior, but no explicit permissions are declared for shell execution. This creates a transparency and least-privilege problem: users and hosting platforms may underestimate that the skill can invoke system-level commands, including installers and schedulers.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The stated purpose is forum interaction via API, but the documented behavior expands into account auto-registration, credential persistence, remote file fetching, and recurring cron-based autonomous activity. This mismatch is dangerous because users may consent to a simple API client while actually installing software that changes system state and performs ongoing actions without per-action approval.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The installer automatically executes setup behavior after copying files, and the comments indicate that setup includes auto-registration and cron configuration. For a skill whose stated purpose is forum API interaction, automatically triggering additional persistence-related behavior expands scope and increases risk, especially because the executed script may have just been fetched remotely.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: The installer explicitly fetches and installs a cron-related script even though persistent scheduled execution is not clearly justified by the described forum-posting capability. This creates a latent persistence mechanism that could be used for unauthorized recurring tasks if the fetched script is modified or abused.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script embeds the extracted API key directly into the cron job's message body, which grants any downstream agent or system that can read scheduled job definitions direct access to forum credentials. In this context, cron creation only requires configuring a task, not propagating long-lived secrets into prompts, so this unnecessarily broadens secret exposure and increases the chance of credential leakage through logs, UIs, debugging, or prompt capture.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The setup script goes beyond credential/bootstrap behavior and attempts to enable automatic forum engagement by invoking a cron setup script. Persistently scheduling autonomous posting or interaction materially changes the skill's behavior from on-demand API use to recurring background activity, which can create spam, abuse, or unauthorized actions without clear operator consent.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Installing recurring cron-based automation during setup creates persistence and background execution not strictly necessary for basic forum interaction. In a skill that can post or engage on a public forum, this increases the risk of unattended actions, spam, policy violations, and difficult-to-audit behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The heartbeat instructions direct the agent to perform authenticated reads and writes against a third-party forum account, including checking notifications, replying, and marking notifications as read, without an explicit user-facing warning or consent checkpoint. This creates a real risk of silent account activity and data access on a schedule, which can expose private notification content and trigger actions the user did not actively approve each time.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The file instructs the agent to automatically generate and publish a forum post every day at 9:00 AM, but does not clearly warn the user that scheduled autonomous publishing will occur. Automated posting on a real account can cause spam, reputational harm, and unintended policy violations if the user is unaware or forgets the automation is enabled.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation promotes automatic registration and cron job creation for repeated posting, replying, and browsing, but does not provide a strong warning that these are persistent background actions affecting both the local system and the user's forum account. That can lead to unintended automated behavior, abuse of the account, or policy violations after a one-time setup.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The script automatically runs ./setup.sh immediately after downloading and copying files from a remote server, with no integrity verification and no user confirmation. This is dangerous because compromise of the remote host, transport, or file source would result in arbitrary code execution on the user's system during install.

Missing User Warnings

High

Confidence: 99% confidence
Finding: This scheduled job persists the API key in the task instructions without informing the user that the credential is being stored or relayed to another execution context. Because scheduled task metadata is often visible to operators, logs, and platform components, the skill context makes this more dangerous: a forum API token can be reused to post, read notifications, and impersonate the account.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Like the first cron job, this one includes the API key directly in the scheduled message, expanding the attack surface to anyone or anything that can inspect job definitions or prompt history. Since the job only needs authenticated API access at runtime, embedding the token in plain task text is unnecessary and risky.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The daily-post cron job also stores the API key in its task message, creating another persistent copy of a reusable credential with no user-facing disclosure. In a system designed to automate posting and interaction, exposure of this key enables account takeover-like abuse, spam, and unauthorized content publishing under the user's identity.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script writes the API key from an environment variable into a plaintext file under the user's home directory without warning or explicit consent. Persisting a secret to disk expands its exposure window and can leak credentials through backups, broader file permissions, or later compromise of the host.

Credential Access

High

Category: Privilege Escalation
Content: -d '{"username": "YourBotName", "email": "your@email.com"}' # Configure credentials (copy the api_key from registration response) nano ~/.sherry-bbs/config/credentials.json # Test connection curl https://sherry.hweyukd.top/api/me -H "Authorization: Bearer YOUR_KEY"
Confidence: 79% confidence
Finding: credentials.json

External Script Fetching

High

Category: Supply Chain
Content: version: 2.0.0 description: Publish and interact on Sherry's Forum (sherry.hweyukd.top) via API. Use for posting articles, comments, browsing, notifications, and bot identity management. homepage: https://sherry.hweyukd.top installation: curl -fsSL https://sherry.hweyukd.top/skills/install-skills.sh | bash --- # Sherry BBS
Confidence: 98% confidence
Finding: curl -fsSL https://sherry.hweyukd.top/skills/install-skills.sh | bash

External Script Fetching

High

Category: Supply Chain
Content: ```bash # One-click install curl -fsSL https://sherry.hweyukd.top/skills/install-skills.sh | bash # Register a new bot account (if you don't have one) curl -X POST "https://sherry.hweyukd.top/api/register" \
Confidence: 98% confidence
Finding: curl -fsSL https://sherry.hweyukd.top/skills/install-skills.sh | bash

Chaining Abuse

High

Category: Tool Misuse
Content: version: 2.0.0 description: Publish and interact on Sherry's Forum (sherry.hweyukd.top) via API. Use for posting articles, comments, browsing, notifications, and bot identity management. homepage: https://sherry.hweyukd.top installation: curl -fsSL https://sherry.hweyukd.top/skills/install-skills.sh | bash --- # Sherry BBS
Confidence: 97% confidence
Finding: | bash

Chaining Abuse

High

Category: Tool Misuse
Content: ```bash # One-click install curl -fsSL https://sherry.hweyukd.top/skills/install-skills.sh | bash # Register a new bot account (if you don't have one) curl -X POST "https://sherry.hweyukd.top/api/register" \
Confidence: 97% confidence
Finding: | bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal