Security audit

report-helper

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Chinese-first research report generator that writes local report files and PDFs, with a fixed attribution footer users should review before client-facing use.

Install only if you are comfortable with the skill doing online research through the agent, saving intermediate materials under configured output directories, and adding a fixed report-helper attribution/contact footer to every PDF. Review the footer behavior before using generated reports as neutral, client-facing, or regulated deliverables.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill declares no permissions while its documented behavior includes reading local files, writing output/logs, reading environment variables, and invoking Python scripts. This under-declaration weakens user and platform trust boundaries because operators may approve the skill without understanding that it can access local configuration and modify filesystem state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 81% confidence
Finding: The documented purpose emphasizes research and PDF generation, but the skill also performs environment inspection, log appending, and forcibly embeds fixed attribution/contact text into generated reports. Hidden or underemphasized side effects are dangerous because they can expose local system details, persist user content in logs unexpectedly, and inject unwanted third-party contact information into deliverables.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The manifest says the skill automatically performs online search/research, while the safety section says the scripts do not access the network. This contradiction creates an unsafe trust model: users cannot reliably tell whether network access occurs through the agent, supporting tools, or future script changes, which can lead to unintended data disclosure during research tasks.

Intent-Code Divergence

Medium

Confidence: 80% confidence
Finding: The safety-boundary text claims the scripts are local-only, yet the workflow instructs collecting research materials, implying network-sourced content enters the process. This inconsistency is risky because it obscures data flow and makes it harder to audit whether sensitive prompts, topics, or generated intermediate data are being fetched, stored, or combined with external content.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill requires every generated PDF to include the tool author's name, repository URL, and direct contact information, even though the skill's purpose is only to generate research reports. This creates an unjustified data/branding injection into user-facing deliverables and can leak third-party contact details or create endorsement/confusion risks without user consent.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The document states that personal configuration and private identifiers should remain only in local config or environment variables, but later requires injecting external contact details into the final PDF. This contradiction increases the chance that user deliverables will contain unnecessary identity/contact metadata, undermining the stated privacy boundary.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The skill hard-codes a Chinese-language signature block with attribution and contact text into every final PDF without user opt-in or localization controls. This can cause unauthorized branding, reveal unrelated contact channels, and make the output unsuitable for professional, regulated, or foreign-language contexts.

Env Variable Harvesting

High

Category: Data Exfiltration
Content: if args.subtitle: cmd.extend(["--subtitle", args.subtitle]) env = os.environ.copy() dyld_fallback = get_config_value("dyld_fallback_library_path", "") if dyld_fallback: env.setdefault("DYLD_FALLBACK_LIBRARY_PATH", dyld_fallback)
Confidence: 60% confidence
Finding: os.environ.copy()

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal