Back to skill

Security audit

BNBOT Mascot

Security checks across malware telemetry and agentic risk

Overview

This mascot image generator mostly does what it claims, but it uses local credentials and undeclared neighboring code in ways users should review before installing.

Install only if you are comfortable sending mascot prompts and reference images to Google Gemini and using a GOOGLE_AI_API_KEY on the machine. Prefer a revised version that removes the hard-coded developer .env fallback and vendors or explicitly declares the transparent-image-gen helper dependency.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions, yet the content clearly indicates it reads local files and environment-backed secrets, including a hardcoded path to a .env file. That creates an authorization and transparency gap: users and the platform may treat the skill as harmless image generation while it can access sensitive local resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose understates key behaviors: the skill sends content to an external Gemini API, reads a secret from a local filesystem path, and relies on sibling code for image post-processing. This mismatch is dangerous because it prevents informed consent and security review, and could lead users to expose prompts, images, or local secrets to components they did not expect.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The function falls back to reading a hard-coded local .env file at /Users/jacklee/Projects/BNBOT/.env to obtain GOOGLE_AI_API_KEY. This expands the skill's trust boundary beyond its declared mascot-generation purpose, couples execution to a specific developer machine layout, and can unintentionally access local secrets when the skill is run in environments where that file exists.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script prepends a sibling skill directory to sys.path and imports chromakey_despill from outside the current skill boundary. That creates cross-skill code execution and dependency confusion risk, because behavior now depends on whatever code is present in another skill directory rather than a pinned, isolated package dependency.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documentation says it sends prompts and reference images to Gemini, but the description does not warn users up front that their content is transmitted to an external service. This is a privacy and data-handling issue because users may provide proprietary artwork, branding assets, or sensitive prompt content without realizing it leaves the local environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:29