iFlytek Web Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward iFlytek web search helper that discloses its API password requirement and sends user searches to the documented iFlytek endpoint.

Install only if you are comfortable using iFlytek ONE SEARCH with your own API password. Avoid sending confidential, personal, or regulated search terms, and consider using --no-fulltext when full page text is not needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill invokes a Python script that uses both environment-sourced secrets and outbound network access, but the manifest/metadata shown does not declare those capabilities. Undeclared env and network use weakens security review and user consent because the skill can access `XFYUN_API_PASSWORD` and transmit user queries and retrieved content to a third-party API without an explicit permissions declaration.

Missing User Warnings

Low

Confidence: 77% confidence
Finding: The script sends user queries to a third-party search API without an explicit runtime warning or consent step. In a skill context, queries may contain sensitive business, personal, or regulated data, so silent transmission to an external provider creates a privacy and data-handling risk even though it is core functionality.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal