Security audit

json文件翻译

Security checks across malware telemetry and agentic risk

Overview

This skill translates selected JSON fields using an online translation service and writes a translated JSON file, with a privacy caveat for sensitive content.

Install only if you are comfortable sending the selected JSON field contents to MyMemory or similar online translation services. Avoid using it on secrets, private customer data, regulated data, or confidential configuration files unless that sharing is approved, and verify the output path before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to read local JSON files, write translated output files, and call external translation APIs, but it declares no permissions or equivalent user-facing capability disclosure. This creates a transparency and policy-enforcement gap: users or hosting platforms may not realize the skill can access local data and transmit JSON field contents over the network.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script sends selected JSON field contents to a third-party service (MyMemory) over the network, while the skill description frames the capability as local JSON translation. This creates a real confidentiality and transparency risk because users may provide private product, config, API, or dataset content without realizing it leaves the local environment.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README notes that network access to MyMemory API is required, but it does not clearly warn users that JSON field contents will be transmitted to a third-party external service for translation. If users process sensitive JSON data, they may unknowingly exfiltrate confidential, personal, or proprietary content to an external provider, creating privacy, compliance, and data-handling risks.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill sends JSON field contents to MyMemory and LibreTranslate, but the description does not clearly warn users that potentially sensitive text from their files will leave the local environment. If users translate configuration files, datasets, API docs, or product metadata containing secrets or proprietary text, this can cause unintended third-party data disclosure.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: JSON string values are transmitted to an external translation API without an explicit warning or consent flow. In this skill context, fields such as description, name, documentation, or config text may contain sensitive business or internal information, so silent exfiltration to a third party is a meaningful privacy and compliance issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.