Back to skill

Security audit

Misskey

Security checks across malware telemetry and agentic risk

Overview

This Misskey skill mostly fits a social-posting purpose, but it includes unsafe command execution and note deletion without enough scoping or safeguards.

Install only if you intend to grant this skill authority over your Misskey account, including deletion if enabled. Use a least-privilege token, avoid broad account tokens, verify the delete behavior before use, and prefer a patched version that removes eval and requires explicit confirmation for destructive actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation exposes shell-based execution patterns but does not declare permissions or clearly constrain what the shell scripts are allowed to do. In an agent environment, undeclared shell capability weakens trust boundaries and can lead to over-broad execution of local commands, especially because the skill handles credentials and filesystem paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The manifest frames the skill as posting/uploading to Misskey, but the documented behavior also includes deleting notes and retrieving account information. This mismatch is dangerous because users or orchestrators may authorize the skill for non-destructive posting while it actually supports destructive and privacy-relevant operations beyond the declared purpose.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation exposes note deletion, but that destructive capability is omitted from the manifest description. Hidden destructive functionality undermines informed consent and increases the chance that an agent or user invokes the skill in a context where deletion was not expected or approved.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill includes a note-deletion capability even though the declared scope only covers posting notes and uploading media. Hidden or undocumented destructive functionality is dangerous because an agent or user may invoke it unexpectedly, leading to unauthorized content removal and weakening trust boundaries around what the skill is allowed to do.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script builds a shell command string containing attacker-influenced values such as HOST, TOKEN, FILE, and FOLDER_ID, then executes it with eval. Because eval re-parses the constructed string as shell syntax, crafted input containing quotes or shell metacharacters can break out of the intended curl invocation and trigger arbitrary command execution on the host running the skill.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README documents a destructive delete operation without clearly warning that it is irreversible or should require confirmation. In an agent/integration context, this increases the risk of accidental or socially engineered note deletion because operators may treat the command as routine and underestimate its consequences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents how to delete notes but provides no warning that the operation is destructive or potentially irreversible. In agent-driven use, lack of a safety warning can cause accidental content loss, especially if note IDs are copied incorrectly or if the user assumes a dry-run or reversible action.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs an irreversible delete immediately after receiving a note ID, with no confirmation, dry-run mode, or secondary validation. In an agent context, this increases the chance of accidental or prompt-induced destructive actions, especially if the wrong ID is supplied or the user did not clearly authorize deletion.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.