Back to skill

Security audit

Coding Plan Usage

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned but should be reviewed because it automates Alibaba Cloud login, reuses browser session state, and saves a login screenshot without clear cleanup controls.

Install only if you are comfortable letting the skill open Alibaba Cloud through agent-browser, create or reuse a logged-in browser session, and save a login screenshot. Run it from a trusted directory, review any .env values first, verify the agent-browser package yourself, and delete the screenshot and browser session when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill instructs the agent to execute a Python script, access files, and use shell capabilities, but it does not declare any permissions for those behaviors. This creates a transparency and policy-enforcement gap: reviewers and runtime controls may underestimate what the skill can do, and users are not adequately informed that code execution, local file output, and environment-dependent behavior are involved.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose says this is a simple command-line usage query, but the workflow actually performs browser automation, login-state handling, navigation to Alibaba Cloud pages, and screenshot capture of a login/QR flow. That mismatch is dangerous because it can cause the agent or user to authorize far more invasive actions than expected, including interaction with a live account session and persistence of authentication-related images on disk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill claims to query Coding Plan usage, but it also automates browser login flow, navigates account pages, and captures a login screenshot for QR-based authentication. This expands the skill's effective privileges and data exposure beyond a simple usage query, creating unnecessary access to authenticated account context and sensitive visual artifacts.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code reads .env files and environment variables to determine the executable path, session name, and dev behavior, even though the advertised function is only to query plan usage. Allowing local configuration to choose what binary is executed creates an unnecessary trust boundary and can be abused to run an attacker-controlled program under the skill's privileges.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly tells users to give the document to an AI so it can download and install dependencies, but it does not warn that this may cause package-manager commands such as global npm installs to run and modify the host environment. In an agent skill context, this is risky because users may authorize automated dependency installation without understanding the trust boundary, package provenance, or the system-wide effects of commands like `npm install -g`.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently consumes environment and .env configuration that alters runtime behavior, including executable selection and browser session naming, without user-facing disclosure. Hidden configuration channels make the skill less auditable and can enable surprising behavior or abuse when deployed in shared or compromised environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.