Back to plugin

Security audit

Lensmor Skills Core

Security checks across malware telemetry and agentic risk

Overview

This Lensmor bundle broadly matches trade-show research, but it needs Review because it handles sensitive contact data and includes automatic uploads plus an overbroad local uploader that the package metadata under-discloses.

Install only if you trust Lensmor and the paired gateway with your trade-show queries, contact data, API key, generated reports, and uploaded files. Review whether automatic uploads and contact/email unlock workflows fit your privacy and credit-use expectations before enabling this bundle.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill authorizes fallback to general web search and model training data when the primary Lensmor source fails, which widens data provenance and execution scope beyond the declared event-database behavior. This can cause the agent to return unverified, stale, or policy-inconsistent information and may invoke external capabilities the user did not intend, weakening trust and containment boundaries.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The skill claims it is powered by Lensmor's event database, but later permits responses derived from web search or model training data. That mismatch is dangerous because it can mislead users and higher-level orchestrators about the provenance, freshness, and trust model of the returned data, especially for business decisions based on supposedly curated vendor data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The fallback policy explicitly expands the skill from Lensmor exhibitor-database lookups into generic live web search and model-training-data responses. That broadens the tool’s authority and data sources beyond its declared purpose, increasing the risk of scope creep, inconsistent trust boundaries, and delivery of unverifiable or stale results under the same skill identity.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to invoke host-approved web search when Lensmor data is unavailable, even though the skill is described as exhibitor-database discovery. This creates a cross-capability expansion path that may expose users to uncontrolled external content and weakens assurance that answers come from the approved database workflow.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The reference suggests a follow-up action to 'look up their contacts,' which expands behavior beyond the declared skill scope of exhibitor/company discovery. That kind of scope drift can cause the agent to invoke contact-enrichment capabilities the user did not explicitly request and that may involve access to more sensitive personal or regulated data than expected.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill asks users to provide their company website or target-customer description for personalized recommendations without any privacy notice, minimization guidance, or statement of how that data will be used. This can lead to unnecessary collection of potentially sensitive business information and reduces informed user consent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes broad phrases like "What does Shopify do?" and "tell me about Acme Retail," which are common conversational requests that may ambiguously activate this skill outside a clearly scoped exhibitor-search context. Overbroad invocation can cause the agent to route general company-information queries into a Lensmor-backed workflow, leading to unintended data access or actions when the user did not explicitly request this data source.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The reference explicitly instructs use of profile-matched recommendations when identity context such as company_url or target_audience is available, but it provides no user-facing disclosure or consent step before that context is sent to an external API. This creates a privacy risk because potentially sensitive business-profile data may be transmitted or inferred without the user's clear awareness, especially in a recommendation flow where the data sharing is not obvious from the request wording.

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill declares environment-variable and network-dependent behavior in metadata and instructions, but there is no explicit permissions declaration constraining those capabilities. In practice this weakens policy visibility and reviewability: a skill that can read secrets from env and make outbound requests can exfiltrate data or be repurposed beyond its stated role, especially when paired with local file access and upload functionality.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior says uploads should occur only in two narrow trigger cases, but the described command interface is a generic uploader that accepts any local file path, arbitrary base URL, token override, and content-type/output options. That mismatch is dangerous because downstream agents or reviewers may trust the narrow description while the implementation can upload arbitrary local files to attacker-controlled or unintended destinations, enabling data exfiltration and policy bypass.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill manifest requires a strict post-upload contract: after a successful upload it must emit the signed URL as `%%S3URL%%{url}%%END%%` on its own line. This script instead prints human-readable status lines or generic JSON, which can break downstream automation, cause the agent to lose control of where the uploaded file URL is consumed, and potentially leak the signed URL into broader model/user-visible output rather than a constrained machine-readable channel.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest says this skill should trigger only in narrow, explicit contexts, but the code exposes a general-purpose CLI uploader that accepts arbitrary file paths, base URLs, and tokens. In an agent ecosystem, this mismatch weakens policy boundaries: any caller able to invoke the script can use it to upload arbitrary local files, making exfiltration easier if higher-level trigger restrictions are bypassed or misapplied.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs automatic upload of outputs from five core data skills even when the user did not explicitly request transmission, and it does so without a clear user-facing disclosure or consent step. This increases the risk of unintended sharing of potentially sensitive query results, reports, or personal/business data to external storage, making the context more dangerous because the trigger is broad and mandatory.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
parser.add_argument("--format", choices=["text", "json"], default="text", help="Output format")
    args = parser.parse_args()

    token = args.token or os.environ.get("LENSMOR_API_KEY", "")
    if not token:
        print("Error: --token or LENSMOR_API_KEY env is required", file=sys.stderr)
        sys.exit(1)
Confidence
70% confidence
Finding
os.environ.get("LENSMOR_API_KEY

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The fallback policy explicitly expands the skill from a bounded personnel-discovery workflow into general web search and model-training-data responses when the primary data source fails. That broadening can bypass the intended trust, privacy, and scope controls of the skill, causing the agent to answer with unverified or out-of-scope contact information and increasing the chance of inappropriate data collection or disclosure.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest description is so broad that it can trigger on many generic contact-related requests, including requests outside trade-show personnel discovery. Overbroad activation increases the likelihood that the wrong skill handles a query, which can expose contact-unlock features or data-retrieval behaviors in contexts where they were not intended or appropriately constrained.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill includes flows for unlocking email addresses and contact details but does not present a clear user-facing privacy, authorization, or acceptable-use warning at the point of use. In context, this is more dangerous because the skill is specifically designed to find people and reveal contact data, creating a meaningful risk of privacy misuse, scraping behavior, or disclosure of sensitive business contact information without adequate friction.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough that a normal user request for contact details could invoke a workflow that queues access to private email data without clearly signaling that a sensitive unlock operation will occur. In a skill specifically designed to obtain contact details, over-broad invocation materially increases the risk of unintended privacy-impacting actions, even if downstream plugin checks exist.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The reference describes a process that initiates access to private contact details but does not clearly warn that this is a sensitive action with privacy and account/credit consequences. In this context, the absence of a prominent user-facing warning makes accidental or uninformed initiation more likely, which is more dangerous because the skill's purpose is to unlock personal contact information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This reference instructs the agent to perform an event-level unlock that can consume credits and grant access to full contact/personnel data, but it does not require a clear user-facing warning or confirmation at the skill layer before the action is initiated. Even though the plugin may enforce precheck or confirmation, the skill content normalizes a potentially billable, privacy-expanding action and tells the agent not to discuss route mechanics, which increases the risk of users triggering costly or overbroad access without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill is designed to retrieve and present a named person's event-attendance history, which is personal/professional behavioral data, yet it provides no user-facing privacy notice, lawful-use constraint, or minimization guidance. That omission increases the risk of silent profiling, stalking, or other privacy-invasive uses even if the backend access itself is technically permitted.

Ssd 3

High
Confidence
99% confidence
Finding
The line 'No identity check is needed' explicitly removes any verification step before resolving and disclosing a person's event history. In context, this makes the skill materially more dangerous because it enables anyone who can invoke the skill to enumerate an individual's attendance footprint without confirming authorization, relationship, or legitimate purpose.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.