Back to skill

Security audit

Scripts

Security checks across malware telemetry and agentic risk

Overview

This paid text-generation skill is mostly coherent, but it asks the agent to reveal internal reasoning and handles prompts and payment credentials with limited disclosure.

Review carefully before installing. This skill will create paid orders, use a separate payment skill, send your prompt and payment credential to web.kihb.shop, and keep order records locally including your original prompt. Avoid using it for sensitive personal, financial, or secret content unless you trust the publisher and the remote service, and the reasoning-disclosure instruction should be removed before normal use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instruction requiring the assistant to include its internal reasoning process is unrelated to the stated business purpose of paid text generation and encourages disclosure of sensitive internal deliberation. This can expose hidden reasoning, policy logic, or transformed sensitive inputs to users, increasing prompt-exfiltration and data leakage risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill directs the agent to run local shell commands and invoke another skill for payment processing without clear user-facing disclosure or confirmation at the point of action. In a payment context, hidden execution of scripts and cross-skill payment handling increases the risk of unintended transactions, opaque credential use, and abuse if the workflow or dependent skill is modified.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The skill both mandates a specific interaction language and explicitly requires exposing the assistant's reasoning process. The dangerous part is the reasoning-disclosure requirement: it attempts to override safe response boundaries and can lead to leakage of internal system behavior or sensitive intermediate analysis, which is especially problematic in a workflow handling payments and credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends the user-supplied `question` to an external service endpoint as part of order creation, but there is no visible consent, minimization, or privacy notice in this code path. Because this skill handles paid content generation, users may submit sensitive prompts or personal data, making undisclosed third-party transmission a meaningful privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script stores full order data locally, including the user's `question`, without any indication of data minimization, encryption, retention controls, or user notice. If local storage is accessible to other users, processes, backups, or logs, sensitive prompt content could be exposed beyond what is necessary for payment fulfillment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill transmits the user's question and payment credential to an external domain (web.kihb.shop) without any disclosure or consent mechanism in this file. In a paid-content workflow, both the prompt content and credential can be sensitive, and silent third-party transmission increases privacy and trust risk, especially because the skill's declared role is text generation rather than remote data relay.

Ssd 1

High
Confidence
98% confidence
Finding
The instruction to reveal chain-of-thought is a direct attempt to elicit protected internal reasoning, which is a known prompt-injection and data-exfiltration pattern. In this skill, the risk is amplified because the workflow includes payment handling and credential-related permissions, so exposed reasoning could include sensitive validation logic or references to protected data sources.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.