Back to skill

Security audit

Management Dashboard Skill

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent management-report purpose, but it handles sensitive recording summaries and creates persistent HTML reports with weak scoping and avoidable script-execution risks.

Install only after confirming the API is scoped to the current session, reports are stored in an access-controlled location, generated text is HTML-escaped or sanitized, Chart.js is bundled or pinned with integrity controls, and LLM/data-retention handling is acceptable for recording-derived business data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly instructs execution of Python, network API calls, reading configuration, and writing HTML reports, yet no permissions are declared. This creates a governance gap where reviewers or runtime policy may not accurately reflect the skill's actual capabilities, increasing the risk of unintended data access or exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill documentation claims strict controls such as resolving agentId via session_status, using main.py as the sole entry point, and performing real LLM-based analysis, but the analyzed behavior reportedly bypasses or does not implement those guarantees. This mismatch is dangerous because operators may trust security and data-handling properties that are not actually enforced, enabling incorrect execution paths and unauthorized or misleading processing.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The README instructs integrators to obtain agentId via a generic getCurrentAgentId() flow instead of the required session_status(sessionKey=current) resolution. In this skill, agentId determines which recording data is queried, so using the wrong resolution path can cause authorization/context mix-ups and retrieval of another session's data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill accepts a caller-supplied agent_id directly, even though the manifest requires resolving it from session_status using the current session key before any API calls. This breaks the intended trust boundary and can enable confused-deputy or cross-tenant data access if a caller supplies another agent's identifier.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The report loads Chart.js from an external CDN at runtime, which introduces a third-party script supply-chain dependency into what is otherwise a static local HTML report. If the CDN, DNS path, or network is tampered with, arbitrary JavaScript could execute in the viewer's browser and access any report content rendered in that origin.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The report loads Chart.js from a third-party CDN at runtime, which introduces a supply-chain and privacy risk outside the core need of generating a static HTML report. If the CDN is compromised, blocked, or modified, anyone opening the report may execute attacker-controlled JavaScript in their browser.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrase "日报生成" is very broad and likely to match ordinary conversation, causing the skill to activate unexpectedly. In this skill, activation can fetch recording-analysis data and generate persistent HTML reports, so accidental invocation may expose sensitive operational data or trigger unauthorized processing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes generating and saving HTML reports from recording-analysis summaries without warning about sensitive data handling. Because the reports may contain customer, compliance, performance, and operational insights and are written to disk under a predictable reports/ directory, missing guidance increases the chance of inadvertent retention, overexposure, or unauthorized local access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends combined recording summaries, speaker names, team name, date, and grouping statistics to an LLM without any visible minimization, consent, or disclosure controls in this file. Because the skill processes potentially sensitive business conversation summaries and employee-identifiable data, forwarding all of it to an LLM increases privacy and confidentiality risk if users or operators do not explicitly expect that transmission.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The report loads Chart.js from a third-party CDN at runtime, which introduces a supply-chain and privacy risk: opening the local report causes the browser to fetch remote JavaScript that could be modified upstream or blocked/intercepted in hostile environments. Because this file also embeds business analytics and potentially sensitive operational data, remote dependency loading can leak access metadata and turns a static local report into network-active content.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
Confidence
97% confidence
Finding
requests>=2.31.0

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
90% confidence
Finding
requests==2.31.0

Tool Parameter Abuse

High
Category
Tool Misuse
Content
<div class="section">
        <h2><svg class="icon" viewBox="0 0 24 24" fill="none" stroke="#667eea" stroke-width="2"><path d="M6 9H4.5a2.5 2.5 0 0 1 0-5C7 4 7 7 7 7"/><path d="M18 9h1.5a2.5 2.5 0 0 0 0-5C17 4 17 7 17 7"/><path d="M4 22h16"/><path d="M10 14.66V17c0 .55-.47.98-.97 1.21C7.85 18.75 7 20.24 7 22"/><path d="M14 14.66V17c0 .55.47.98.97 1.21C16.15 18.75 17 20.24 17 22"/><path d="M18 2H6v7a6 6 0 0 0 12 0V2Z"/></svg>第三板块:当日 RM 业务水平</h2>
        <h3 style="display:flex;align-items:center;gap:6px;"><svg class="metric-icon" viewBox="0 0 24 24" fill="none" stroke="#667eea" stroke-width="2"><path d="M12 2L15.09 8.26L22 9.27L17 14.14L18.18 21.02L12 17.77L5.82 21.02L7 14.14L2 9.27L8.91 8.26L12 2Z"/></svg>今日团队沟通技能得分排行(百分制)</h3>
{rm_section}{rm_score_table}    </div>

    <!-- 当日线索转化效率 -->
    <div class="section">
Confidence
96% confidence
Finding
rm_section}{rm_score_table} </

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.