Back to skill

Security audit

公众号热门账号推荐

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its WeChat ranking purpose, but it automatically searches shell profile files for an API key and offers subscriptions without clear persistence controls.

Install only if you are comfortable with the skill reading shell profile files to discover REDFOX_API_KEY and calling redfox.hk with that key. Prefer setting the key only in the active environment before use, review generated files, and avoid enabling subscriptions unless you understand how your client stores and cancels recurring pushes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation instructs use of environment variables, shell profile reads, temporary file writes under /tmp, and outbound API access, yet no explicit permissions are declared. That mismatch is dangerous because an agent may be induced to access sensitive local configuration files or environment secrets and perform network actions without transparent user consent or sandbox enforcement. The context increases risk because the skill explicitly describes fallback behavior that reads shell startup files and persists API responses to disk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script goes beyond normal ranking/report generation by scanning local shell profile files such as .zshrc, .bashrc, and PowerShell profiles to extract an API key automatically. Reading unrelated local configuration files increases the skill's access to sensitive user data and can expose secrets without clear, informed consent, especially in an agent context where users may not expect filesystem inspection.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script searches shell profile files such as .zshrc, .bashrc, .profile, and PowerShell profiles to extract REDFOX_API_KEY. That behavior accesses unrelated local files and expands the skill's reach beyond its stated purpose of querying rankings, creating unnecessary exposure of local secrets and normalizing credential harvesting from user environments. In an agent setting, this is especially risky because users may not realize the skill is reading persistent configuration files at all.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation description is broad enough to trigger on many generic analytics, ranking, reporting, export, or subscription requests, which can cause the skill to run in situations the user did not specifically intend. In this skill, overbroad triggering is more dangerous because activation can lead to network calls, local file access, and report generation, expanding the chance of unintended data handling or external requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow explicitly enables recurring subscriptions and scheduled pushes but provides no disclosure about what user data is stored, how long it is retained, or how notifications are managed or revoked. This creates a privacy and consent gap: users may subscribe without understanding persistence, data handling, or the operational implications of ongoing notifications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code reads API credentials from local shell startup files without a prior explicit warning or consent flow telling the user that these personal configuration files will be accessed. Even if the goal is convenience, this behavior violates least surprise and can reveal secrets or sensitive shell content in a context unrelated to the advertised functionality.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script silently reads user shell initialization and PowerShell profile files to locate API credentials, without clear disclosure at the time of access. Those files often contain other sensitive material beyond the intended key, so accessing them without explicit consent violates least privilege and can expose secrets unrelated to the ranking task. In a skill context, covert local-file inspection is more dangerous because users typically expect a data fetcher, not host credential discovery.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.