Back to skill

Security audit

腾讯乐享知识库 Lexiang Knowledge Base

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Lexiang knowledge-base connector with real read/write and file-transfer power, but the risky behavior generally matches its stated purpose and includes some target-confirmation rules.

Install only if you intend to give the agent access to your Lexiang workspace. Before uploads or folder syncs, confirm the exact local files, destination entry, and whether content will be sent over the network. Store the bearer token carefully, avoid syncing folders with secrets, and treat write/edit/delete requests as persistent changes to your knowledge base.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to leave the MCP tool boundary and run a local `curl` command that reads a local file path and transmits its contents to a URL returned at runtime. That expands capability from controlled API calls to shell and filesystem access, which is dangerous because a compromised or unexpected `upload_url` could cause exfiltration of arbitrary local files or normalize unsafe command execution patterns.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes broad everyday phrases such as search/read/write-related wording that can plausibly appear in unrelated conversations, increasing the chance this skill is invoked when the user did not intend to access the Lexiang knowledge base. In a skill with read/write and file operations, accidental invocation can cause unintended data access, confusing context switches, or unintended writes if downstream safeguards fail.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger scope is broad enough to activate on generic terms like '知识库', '我的知识库', or common identifier patterns, which can cause the skill to engage outside clearly intended Lexiang-specific contexts. An over-broad trigger can route unrelated user requests into a powerful skill that performs search, read, write, and file actions, increasing the chance of unintended data access or modification.

Vague Triggers

Low
Confidence
82% confidence
Finding
The routing table includes generic phrases like '找一下', '搜索', and '导入' that are not uniquely tied to Lexiang usage. In isolation this is less severe than the top-level trigger, but it still increases the chance that unrelated requests are interpreted as instructions to use this skill's connected tools and data sources.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions tell the agent to upload local file contents with `curl --data-binary` to a presigned URL, but they do not require an explicit user-facing consent step that clearly states the file will be sent to an external endpoint. In a skill that handles knowledge-base operations, this makes accidental disclosure more likely because users may assume all data stays within MCP-mediated actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly describes converting Markdown into 乐享 blocks and writing them into a document, but it does not warn that this operation mutates persistent document data. In an agent skill context, missing mutation warnings can cause users or downstream agents to invoke write operations without clear consent, increasing the risk of unintended content creation or overwrite.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file provides multiple concrete examples of content-modifying MCP operations such as creating blocks, tables, code blocks, tasks, and layouts in a target entry, but it does not warn that these actions mutate user documents. In an agent skill context, this increases the risk that an assistant will perform write operations without clearly informing the user or confirming the target, which can lead to unintended document changes or corruption.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly instructs the agent to place a bearer token directly into a local configuration file, but it does not warn the user that this persists a sensitive credential on disk where it may be exposed through backups, shared profiles, weak file permissions, logs, or later debugging output. In a setup skill that automates configuration, omission of storage-safety guidance increases the chance that users handle long-lived tokens insecurely.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match ordinary complaints or exploratory questions, which can cause the skill to infer consent or intent to escalate when the user only wanted help. In a skill that can prepare or potentially submit external feedback through runtime-defined channels, this increases the risk of unwanted issue drafting, disclosure of user context, or pressure toward external actions not clearly requested.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README instructs users to synchronize local folders and upload files to a remote knowledge base, but it does not clearly warn that file contents will leave the local machine and be transmitted to external services, including an HTTP PUT step. In an AI-assisted workflow, this omission increases the chance of accidental disclosure of sensitive local documents because users may treat the operation as a harmless planning step rather than remote publication or transfer.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script recursively scans a local folder, hashes files, and prepares upload actions to a remote knowledge base, but it does not enforce any explicit confirmation, sensitive-file detection, or transmission warning at the point where user data is staged for upload. In an agent/skill context, this is risky because broad sync operations can unintentionally include confidential documents, and the skill metadata encourages use for knowledge-base write/file operations, making accidental exfiltration more plausible.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/test_upload_files.py:28