（司库系统）API 全生命周期管理智能 Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to expose high-impact banking and treasury operations under a broader API-management framing, so users should review it carefully before installing.

Install only if you intend to work with these banking/treasury APIs and can keep it confined to sandbox or test data. Do not provide production credentials, certificates, signatures, passwordless token URLs, real account identifiers, payroll files, or live payment payloads unless the skill has explicit approval gates, redaction, and environment separation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares powerful operational capabilities via tools and referenced helper files, yet does not explicitly declare permissions or constrain use of file, network, and possible shell-like execution paths. In a financial API skill, this gap is dangerous because it can lead to unreviewed outbound requests, local file access to certificates/examples, or execution pathways that process sensitive banking material without clear guardrails.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The declared description presents this as a general API lifecycle/intelligence skill, but the content shows concrete capability to construct and send real banking transactions, validate payloads, handle cryptographic fields, and simulate payment flows. This mismatch is security-relevant because users and reviewers may underestimate that the skill can interact with production-like financial operations and sensitive authentication material.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill is presented as API lifecycle management, but the API surface actually includes high-risk operational treasury functions such as payroll disbursement, single-payment initiation, fund transfers, budget operations, and token issuance. This mismatch is dangerous because it can cause users, reviewers, or automated allowlisting systems to grant the skill broader trust than warranted, enabling unauthorized financial actions under misleading metadata.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill can obtain a passwordless login token and returns a URL containing that token, which is a powerful authentication artifact unrelated to the stated API lifecycle purpose. If exposed to the wrong user, logged, or invoked without tight authorization, it could enable unauthorized access to the treasury system and bypass normal interactive authentication controls.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The error-response helper sets the common header to success values even when the business response contains an error code and message. Consumers that trust only txComm.respCode/respDesc may treat failed operations as successful, potentially causing incorrect workflow progression, skipped compensating actions, or unsafe financial automation decisions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill offers runnable curl and Python examples for treasury APIs but does not warn against embedding real credentials, certificate serial numbers, signatures, encrypted keys, or payloads in prompts or generated code. In a banking context, this can cause accidental leakage of secrets into chat logs, source repositories, terminals, or shared examples, enabling unauthorized access or replay attempts.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill invites users to submit request bodies for validation and to simulate payment and balance-related responses, but it gives no warning that such data may contain highly sensitive financial or personal information. This raises the risk of unnecessary collection, retention, or exposure of account data, payroll data, transaction details, and identifiers during validation or mock generation workflows.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manifest exposes broad banking and payment operations, including account queries, payroll upload, payment initiation, fund disbursement, and budget actions, without documented trigger restrictions or narrow execution scope. In an agent setting, this increases the chance of overbroad invocation, prompt-induced misuse, or accidental execution of sensitive financial operations beyond user intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal