Back to skill

Security audit

Convbox DTC Marketing Skills — ROAS Diagnosis & Attribution Analytics

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Convbox analytics skill that uses a configured API key and saved store context to produce reports and recommendations, with no hidden destructive or exfiltration behavior found.

Install only if you are comfortable giving the agent access to Convbox aggregated store and ad-performance data through CONVBOX_API_KEY. Review what is stored in memory.md, avoid sharing the same agent profile with unauthorized users, and treat all budget, bid, campaign, or storefront changes as recommendations requiring human execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares access to environment variables, file reads, and network behavior, but does not expose an explicit permission model to constrain or communicate that access. In practice, this increases the risk of over-privileged execution and makes it harder for reviewers or runtime controls to verify that sensitive resources such as memory files and API-backed network actions are limited to the minimum necessary scope.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is analytics/reporting, but the documented behavior extends into environment validation, configuration parsing, endpoint probing, account discovery, and schema validation through a health-check utility. This mismatch is dangerous because users and reviewers may grant trust for a reporting skill while it performs broader reconnaissance and connectivity testing against internal configuration and external APIs.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill explicitly says it does not call tools or Agent.Skills, yet later instructs the agent to call a utility skill for configuration and connectivity checks. Contradictory execution boundaries are dangerous because they undermine trust assumptions, can bypass review of transitive capabilities, and may enable unexpected access to additional code paths, files, or network operations through the utility chain.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The plan expands beyond transient analysis by instructing the agent to persist shop-level thresholds into memory for future runs. Persistent state changes can affect later analyses, create privacy/governance concerns, and introduce hidden cross-session behavior that is not clearly disclosed as part of this plan’s stated scope.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file states that the plan only performs dashboard checking and dispatch, but later instructs the agent to write persistent thresholds to memory. This scope mismatch is dangerous because reviewers and users may assume the skill is read-only while it actually mutates persistent state, increasing the chance of unnoticed data retention and unintended downstream behavior.

Natural-Language Policy Violations

Low
Confidence
82% confidence
Finding
The plan instructs the skill to default to Google search when the user does not specify a channel, which can cause the agent to prepare or request data for a platform the user did not explicitly authorize in the current interaction. In this skill, the risk is limited because the plan remains diagnostic and still requires account context and connection checks, but it can still lead to incorrect scope selection, unintended data access, or misleading analysis.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The routing examples include broad, everyday phrases such as "anything wrong with my campaigns" and "what's off today," which can cause the skill to be invoked on ambiguous user requests. In an agentic environment, overly permissive routing increases the chance of unintended data access, misleading analyses, or unnecessary downstream plan dispatches when the user did not explicitly request anomaly detection.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The plan directs the agent to persist shop-level thresholds without a user-facing warning or explicit consent flow. In a commerce analytics skill, these thresholds may encode business-sensitive baselines or preferences, so silent persistence creates privacy, transparency, and governance risks and may surprise users who expect a one-off analysis.

Unbounded Output

Medium
Category
Output Handling
Content
1. **Load memory → summarize as session context.** Check for the store-profile memory (`memory.md`). If it exists, read it and briefly summarize it back to the user as the working context: business background (store URL, primary category, main objective), benchmarks (gross margin, target / breakeven ROAS, budget cap), and preferences (attribution model, report language, work role). Keep this to a few lines. If no memory exists, treat it as first-time setup and go to step 2.

2. **Confirm default configuration.** Ask the user to confirm the two defaults that drive everything downstream, showing what is currently on file (or "not set" for a first session):
   - **Work role** — defaults to **General** (all results, no trimming); or one of Founder / Marketing Director / CRM / Site Ops / Creative Strategist / Media Buyer.
   - **Store info** — store URL, primary category, main business objective, and benchmarks.

   Ask "Is this still correct?" If anything is wrong or missing, guide the user to fill in / correct it, then **write the updated profile back to memory** for reuse (see Section 2 for the field list and write rules).
Confidence
76% confidence
Finding
no trimming

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
access.yaml:9