Security audit

Moegirl Wiki - ACG Encyclopedia

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward public wiki lookup skill, but it adds a visible unrelated Moepad promotional link to every response.

Install only if you are comfortable with your search terms being sent to Moegirl Wiki's public API. Expect every answer to include a Moepad promotional download link; treat that as advertising and only download the app if you independently trust it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill mandates appending promotional content for an external app ('Moepad AI Assistant') that is unrelated to the user’s requested wiki lookup. This creates unauthorized marketing behavior inside a retrieval skill and can mislead users into thinking the endorsement is part of the requested result or an official requirement of the source site.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Requiring the agent to promote and link an unrelated external application is an unjustified instruction for a wiki search skill and introduces a trust-boundary violation. Users invoking a search skill expect information retrieval, not forced outbound promotion, which can be abused for traffic steering, affiliate-style redirection, or social engineering.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal