long-doc-agent

Security checks across malware telemetry and agentic risk

Overview

This looks like a real long-report writing skill, but it needs review because it can run automated multi-agent workflows, persist project materials, and send or search project information externally.

Install only if you are comfortable with an automated report-writing workflow that writes to F:/agent/chapters, stores raw reference material locally, may use Feishu/web search, and sends WeChat progress messages. Use non-sensitive materials unless you have confirmed the external-search and messaging behavior, back up existing output files, and disable or avoid automatic steps when confidentiality or review checkpoints matter.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (16)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and instructs use of shell commands plus read/write access to local files, yet the manifest shown in SKILL.md does not declare those capabilities. That creates a permission-transparency gap: users and policy systems may not realize the skill can modify local content, clear state, or invoke external programs, increasing the risk of unsafe execution and bypass of informed consent.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The documented purpose is report generation, but the skill also describes auxiliary behaviors including reference-material management, glossary extraction, markdown export, and external Mermaid CLI/node subprocess execution. When behavior materially exceeds the declared purpose, users may unknowingly permit broader file processing and command execution than expected, which expands the attack surface and can hide risky data flows or tool usage.

Context-Inappropriate Capability

Medium

Confidence: 74% confidence
Finding: Even though the command is constant, the monitor unnecessarily executes a shell command in a document-writing tracker, which broadens capability beyond what is needed. In agentic or restricted environments, introducing shell execution where simple output formatting would suffice can violate least-privilege expectations and create policy or environment-specific security risk.

Context-Inappropriate Capability

Medium

Confidence: 75% confidence
Finding: The CLI wait loop also includes unnecessary command execution solely to clear the screen. In the context of an agent skill for report generation, command-execution capability is not justified by the core function and can become more dangerous if deployed in environments that grant shell access broadly.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The guide instructs sub-agents to perform Feishu knowledge-base retrieval and web search, which expands the skill from local document generation into external data access. In an autonomous multi-agent workflow, this creates unnecessary data-exfiltration, prompt-injection, and unbounded content-ingestion risk because retrieved content can influence report output or leak sensitive project context.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Automatic WeChat notifications are unrelated to the core report-writing function and introduce an outbound communication channel from the skill. That channel could disclose project metadata, progress, or content to external recipients without user awareness, which is especially risky in enterprise feasibility-report contexts.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger phrases are broad, generic writing requests such as 'write proposal' and 'agent write document,' making accidental activation likely during normal user conversations. Because this skill can read/write files, spawn parallel agents, and run shell commands, unintended activation is more dangerous than for a simple text-only skill.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill instructs automatic WeChat notifications containing report topic, chapter progress, and other task metadata, but does not indicate that this information will be sent to an external messaging service or require user approval. This creates a clear data-exfiltration/privacy risk, especially because report subjects and progress details may be sensitive business information.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill promotes Feishu knowledge-base search to supplement references, but does not warn that user queries, document identifiers, or contextual material may be transmitted to an external service. In a document-generation workflow, reference material often contains confidential planning or business data, so silent external lookup increases privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The ref show CLI path prints the contents of reference_material.txt directly to stdout, exposing potentially sensitive project inputs, internal documents, or proprietary data to logs, terminals, or calling systems. In agent environments, stdout is often captured and persisted, so this can become an unintended data disclosure channel.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The guide includes direct `del` commands for deleting files such as caches and generated reports without any caution, confirmation step, or scope-limiting guidance. In an agent skill context, operational documentation can be surfaced or copied into automated workflows, so destructive commands increase the chance of unintended data loss if executed blindly or against the wrong path.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The guide instructs saving user-provided reference materials to a fixed local path without any notice, consent, retention policy, or access control guidance. This creates a real risk of unintended persistent storage of sensitive business documents, and a fixed shared path can expose data across tasks, users, or later processing steps.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The workflow performs batch conversion and file writes automatically, without warning or confirmation, causing the agent to modify local artifacts and finalize outputs without a human checkpoint. In a parallel agent system this can overwrite expected state, propagate bad content, and make unintended changes harder to detect or roll back.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The workflow encourages broad submission of files, links, and pasted text, then persists that material as a primary knowledge source with no stated limits, filtering, or minimization. In the context of a long-document agent handling feasibility reports, these references may contain confidential commercial, regulatory, or personal data, increasing privacy and data-governance risk.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: **Execution flow** (fully automatic, no manual confirmation): 1. Display outline / current batch status (display only, no waiting) 2. `python parallel_tracker.py clear` to clear previous batch state 3. Start up to 5 concurrent sub-agents (`sessions_spawn`), automatically execute all batches 4. `python parallel_tracker.py wait` to monitor in background until this batch is complete 5. After completion, automatically run `python integrate_report.py convert-batch`
Confidence: 78% confidence
Finding: automatically execute

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: 2. `python parallel_tracker.py clear` to clear previous batch state 3. Start up to 5 concurrent sub-agents (`sessions_spawn`), automatically execute all batches 4. `python parallel_tracker.py wait` to monitor in background until this batch is complete 5. After completion, automatically run `python integrate_report.py convert-batch` **Sub-Agent prompt template**: see `references/phase2_guide.md`
Confidence: 76% confidence
Finding: automatically run

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal