Security audit

Sensitive Info Protection

Security checks across malware telemetry and agentic risk

Overview

The core scanner is purpose-aligned, but the bundled browser helper can monitor chat content and automatically submit chat messages, so this skill should go through Review before installation.

Review this skill before installing, especially if the browser helper will run in your chat UI. The Python detector appears local and purpose-aligned, but detection reports may show raw secrets, and the helper can keep a detected value in page memory and submit chat messages after button clicks. Prefer desensitized output and avoid enabling the UI helper in sensitive workflows unless you are comfortable with that automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation shows file-loading behavior via `detector.load_config("path/to/config.json")`, which implies file read capability while no corresponding permission is declared. Undeclared file access undermines least-privilege controls and can let a skill access local configuration or sensitive files outside user expectations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: This is a significant description-behavior mismatch: the skill claims to be a passive protection tool, but the analyzed behavior includes DOM monitoring, UI injection, reading/modifying chat input, automatic message submission, and storing detected sensitive content globally. In a sensitive-data protection context, these hidden capabilities are especially dangerous because they can expose, alter, or resend the very secrets the skill is supposed to protect.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code programmatically fills the chat input, dispatches an input event, and then clicks the send button after a timeout, causing message submission without an explicit final user confirmation at send time. In a sensitive-info protection skill, this is especially dangerous because it can transmit the original sensitive text or control actions like '确认放行'/'取消发送' on the user's behalf, increasing the risk of unintended disclosure or workflow manipulation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal