Back to skill

Security audit

Ask Leonidas — LEONIDAS Prompt Generator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Ask Leonidas prompt-generation skill that uses an external API and API key, with manageable privacy and configuration cautions.

Install only if you intend to use the Ask Leonidas external API. Keep ASK_LEONIDAS_API_BASE set to https://askleonidas.com, protect ASK_LEONIDAS_API_KEY, avoid submitting sensitive business or personal details unless you are comfortable sharing them with that service, and review generated prompts before placing them into persistent agent instruction files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Tainted flow: 'req' from os.environ.get (line 25, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            raw = resp.read().decode("utf-8")
            print(raw if raw.strip() else json.dumps({"status": "empty"}))
            return 0
Confidence
90% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
On unexpected exceptions, the skill automatically opens a browser to an external URL derived from environment configuration. Even if intended as a convenience fallback, this creates an undisclosed side effect outside the stated prompt-generation function and can trigger unwanted navigation to a remote site, which is risky in automated or headless agent environments.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatic browser launch is not necessary to generate prompts and introduces behavior that can be abused or cause unintended external interaction whenever an exception occurs. In agent or CI contexts, this can violate execution expectations, create phishing exposure if the base URL is misconfigured, and expand the skill's effective attack surface beyond its declared purpose.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad enough to activate on generic prompt-writing or agent-help requests that may not be intended for this external service. This can cause unintentional routing of unrelated user content to the skill, increasing privacy risk and the chance of accidental third-party disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The behavior section states that user pain points and optional context are sent to an external API and may be submitted through browser automation, but the skill does not prominently warn users before doing so. This undermines informed consent and may expose sensitive business information, internal workflows, or personal data to a third party without clear notice.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill sends user-provided pain points, role, industry, desired outcome, and related metadata to a remote API, but the code provides no explicit disclosure or consent mechanism at the point of transmission. Because these inputs may contain sensitive business or personal information, silent exfiltration to a third-party service creates a real privacy and data-handling risk in the context of an agent skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.