Back to skill

Security audit

Quark Lazy Cli

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated purpose, but it should be reviewed because it can change cloud-drive subscription state, use sensitive tokens and optional LLM services, and includes an unrelated agent permission file.

Review before installing. Use a limited QAS token if possible, prefer a local/trusted QAS host, avoid llm advisor mode unless you trust the configured endpoint, and remove or ignore the bundled .claude/settings.local.json permission file if it is not needed. Do not run update or cron commands unless you are comfortable with the skill changing your Quark/QAS subscription configuration and transferring files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The LLM advisor sends task names, local disk episode state, search results, and optional user add-on instructions to a remote OpenAI-compatible endpoint. That creates a real data-exposure channel beyond purely local CLI/media processing, especially because the endpoint is configurable and this code path does not minimize or redact the transmitted context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README repeatedly describes automated searching, selection, and transfer of cloud-drive content, but does not clearly warn users that running the skill can modify their cloud-drive files and subscriptions. In an agent-integrated context, this increases the risk of users or orchestration systems invoking actions without understanding that stateful remote changes will occur, potentially causing unintended transfers, clutter, quota usage, or media library disruption.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad, natural-language requests such as '帮我每天汇报订阅情况' and '每天检查今天该更新的剧', which can overlap with ordinary conversation and cause the agent to invoke this reference unintentionally. In this skill's context, unintended activation could lead the agent to configure scheduled tasks or prepare operational commands around local scripts and notification channels, creating surprising automation or privacy-impacting behavior even though the document itself emphasizes read-only reporting.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases are broad, natural-language maintenance requests that can overlap with ordinary conversation, increasing the chance the skill is invoked unintentionally. In an agent setting, accidental activation can cause the agent to read status data, infer schedules, or modify subscription-related workflows without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code performs the outbound LLM API call directly without any user-facing consent or disclosure in this execution path. Users may believe the tool is operating locally while their search metadata and disk state are being transmitted to a third-party service, which is a privacy and trust issue.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code explicitly documents and implements authentication by appending the API token to URL query parameters for all requests. Tokens in URLs are commonly exposed through proxy logs, server access logs, browser/history artifacts, monitoring tools, and referrer propagation, so this increases credential leakage risk even if HTTPS is used.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The update flow mutates subscription task fields such as pattern, shareurl, startfid, shareurl_ban, and replace, then persists them with update_task_qas_config() without any explicit user confirmation or dry-run safeguard. In an agent-assisted or scheduled setting, this can silently repoint future automation to a different remote share source, causing unauthorized configuration drift, unexpected downloads, or persistence of a bad/malicious source after one run.

Ssd 1

High
Confidence
95% confidence
Finding
Untrusted ctx.add_prompt is inserted directly into the LLM user prompt, allowing callers to influence or override the model's selection rules and output constraints. Because the LLM's decision controls which resources are chosen and the reported max episode, prompt injection can cause wrong or adversarial decisions, data leakage amplification, or bypass of intended policy logic.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.