Security audit

Ask Leonidas — LEONIDAS Prompt Generator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Ask Leonidas prompt-generation skill that uses an external API and API key, with manageable privacy and configuration cautions.

Install only if you intend to use the Ask Leonidas external API. Keep ASK_LEONIDAS_API_BASE set to https://askleonidas.com, protect ASK_LEONIDAS_API_KEY, avoid submitting sensitive business or personal details unless you are comfortable sharing them with that service, and review generated prompts before placing them into persistent agent instruction files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (6)

Tainted flow: 'req' from os.environ.get (line 25, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: ) try: with urllib.request.urlopen(req, timeout=timeout) as resp: raw = resp.read().decode("utf-8") print(raw if raw.strip() else json.dumps({"status": "empty"})) return 0
Confidence: 90% confidence
Finding: with urllib.request.urlopen(req, timeout=timeout) as resp:

Description-Behavior Mismatch

Low

Confidence: 90% confidence
Finding: On unexpected exceptions, the skill automatically opens a browser to an external URL derived from environment configuration. Even if intended as a convenience fallback, this creates an undisclosed side effect outside the stated prompt-generation function and can trigger unwanted navigation to a remote site, which is risky in automated or headless agent environments.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Automatic browser launch is not necessary to generate prompts and introduces behavior that can be abused or cause unintended external interaction whenever an exception occurs. In agent or CI contexts, this can violate execution expectations, create phishing exposure if the base URL is misconfigured, and expand the skill's effective attack surface beyond its declared purpose.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad enough to activate on generic prompt-writing or agent-help requests that may not be intended for this external service. This can cause unintentional routing of unrelated user content to the skill, increasing privacy risk and the chance of accidental third-party disclosure.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The behavior section states that user pain points and optional context are sent to an external API and may be submitted through browser automation, but the skill does not prominently warn users before doing so. This undermines informed consent and may expose sensitive business information, internal workflows, or personal data to a third party without clear notice.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill sends user-provided pain points, role, industry, desired outcome, and related metadata to a remote API, but the code provides no explicit disclosure or consent mechanism at the point of transmission. Because these inputs may contain sensitive business or personal information, silent exfiltration to a third-party service creates a real privacy and data-handling risk in the context of an agent skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.