Back to skill

Security audit

personalized_Podcast_Mandarin

Security checks across malware telemetry and agentic risk

Overview

This is a coherent podcast-generation skill, but it needs review because it embeds reusable-looking credentials, disables proxy settings, and persists persona/memory data with weak scoping safeguards.

Review this skill before installing in a work or sensitive environment. Do not run the bundled live tests with the embedded credentials; use your own rotated keys via environment variables. Avoid submitting confidential PDFs, private URLs, or personal documents unless you are comfortable sending their content or derived script text to external model and TTS providers. Consider patching the proxy-clearing behavior, adding path validation for persona storage, and documenting how to view and delete saved personas and memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (63)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation advertises capabilities that require environment access, local file read/write, and network use, but it does not declare those permissions explicitly. This creates a transparency and consent problem: users and orchestration systems may invoke the skill without understanding that it can access credentials, read local content, persist data, and transmit information externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is podcast generation, but the skill also describes broader stateful behavior: persistent persona and memory storage, credential collection/storage, configuration management, and lifecycle operations beyond the advertised scope. This mismatch is dangerous because users may provide content expecting one-off transformation while the skill retains profiles, documents, and secrets locally for future use.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This file implements persistent per-user memory storage and retrieval, which is materially outside the stated podcast-generation purpose. In an agent-skill ecosystem, unexplained retention of user data increases the risk of covert profiling, data over-collection, and later misuse, especially when users would not reasonably expect long-term storage from a podcast-generation feature.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code builds and maintains user profiles/memories on disk without a clear connection to generating dual-host podcast audio. Even if not overtly malicious, unjustified persistent profiling creates privacy and compliance risk because personal preferences, experiences, or viewpoints may be collected and retained beyond the user's expectation.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module/class descriptions present the component as a retrieval helper, but the implementation also creates, appends, and overwrites persistent files. This mismatch is security-relevant because reviewers and users may underestimate the component's write/destructive behavior, reducing scrutiny around privacy and integrity risks.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
`user_id` and `persona_name` are interpolated directly into filesystem paths with `Path(...)/user_id` and `f"{persona_name}.json"` without validation or canonical-path enforcement. An attacker who can influence those values can use path traversal sequences or absolute-path behavior to read, write, create, or overwrite files outside the intended per-user persona directory; in this skill context, these values appear to be user-scoped inputs, which makes the issue more realistic rather than theoretical.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
`switch_active` builds both `source` and `target` paths from unsanitized `user_id` and `persona_name`, then copies the source file into `default.json`. This enables path traversal or arbitrary file copy within the process's filesystem permissions, potentially overwriting application data or activating attacker-chosen content; because this is a content/persona management feature exposed to user selections, the skill context increases the likelihood of abuse.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code clears and overwrites process-wide proxy environment variables, affecting all subsequent network activity in the running process rather than just this client. In a multi-component agent or shared runtime, this can bypass enterprise monitoring, break expected egress controls, and interfere with other skills' network routing in a way unrelated to podcast generation.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The README includes concrete API key- and token-like values directly in setup instructions, which encourages unsafe secret handling and may expose valid credentials if they are real. In a skill that performs LLM and TTS network calls, leaked credentials can be reused to access paid APIs, consume quota, or impersonate the project.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script hardcodes a live API key and uses it to make authenticated requests to an external model endpoint. Embedded secrets in repository code are easily leaked via source control, logs, screenshots, or redistribution, enabling unauthorized API use and potentially exposing associated data flows and billing resources.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The code forcibly removes proxy-related environment variables before making outbound requests, bypassing enterprise monitoring, filtering, or egress controls that may be relied on for security review and data-loss prevention. In a test for podcast/persona generation, this environment manipulation is unrelated to core functionality and increases the risk of unobserved external communication.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes live external TTS service credentials directly into source and injects them into environment variables at runtime. This exposes reusable secrets to anyone with repository or artifact access and enables unauthorized use of the external service, billing abuse, and potential linkage of generated user content to a third-party provider without proper controls.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The test reads credentials from local private files and injects them into process environment variables, creating a built-in secret-loading path inside the repository. Even if intended for developer convenience, this normalizes handling API secrets in code and increases the chance of accidental disclosure through logs, crashes, subprocess inheritance, or reuse in less trusted contexts.

Context-Inappropriate Capability

Low
Confidence
85% confidence
Finding
The test deletes proxy-related environment variables before execution, overriding the host's network security and routing configuration. That can bypass enterprise monitoring, egress controls, debugging setups, or required outbound restrictions, making networked test behavior less observable and potentially noncompliant.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The test script reads a repository-local private file and injects model credentials into process environment variables, which expands the test's privilege and trust boundary beyond normal fixture setup. Even if intended for convenience, this can cause accidental secret use during local or CI test runs and makes credential-dependent network access possible from a test that should be isolated.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The test code reads a local private credential file and injects model identifiers and an API key into process environment variables. Even though this is framed as test setup, it expands the skill's effective privilege boundary by coupling unrelated local secrets to a content-generation test, increasing the chance of accidental credential exposure, misuse by downstream code, or leakage through logs/crash reports.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The test code automatically reads credentials from a local private/TTS.txt file and injects them into process environment variables. Even though this appears intended to simplify local testing, it expands the secret exposure surface and couples test execution to implicit credential discovery that is not strictly necessary for the skill's core functionality.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The test reads TTS credentials from a local private file and injects them into process-wide environment variables, expanding the exposure of secrets beyond the narrow scope of the test. Even though this appears intended for developer convenience, placing secrets into env vars can make them accessible to imported code, subprocesses, logs, or crash dumps during test execution.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The test reads credentials from a local private file and injects them into process environment variables, expanding the code's access to secrets beyond what is strictly necessary for a unit/integration-style test. Even though this appears intended for developer convenience rather than exfiltration, it creates a credential-handling path that can leak secrets through logs, subprocess inheritance, crash dumps, or accidental reuse by other imported code.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This test reads credential material from a local private file and injects it into process environment variables even though the stated purpose is only to validate dual-speaker configuration and channel assignment. Pulling secrets into a general test path increases the chance of accidental exposure through logs, subprocess inheritance, debugging, or unintended networked code paths in imported components.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The test reads credential material from a local private file and injects it into process environment variables even though the file is framed as a long-text stability test. This expands secret exposure within the process and normalizes hidden credential loading in test code, which can lead to accidental leakage through logs, subprocess inheritance, crashes, or reuse by unrelated code paths.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to provide API keys and submit URL/PDF/topic content to external services, but it does not disclose that source material may be transmitted to third-party providers for research, script generation, or optional TTS processing. This creates a real privacy and data-handling risk because users may unknowingly send sensitive documents or proprietary URLs off-host.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes network-based research, external agents, and API-key-backed processing, but does not clearly warn that user-supplied topics, URLs, PDFs, document text, and derived content may be sent to external APIs or search services. In this context, the skill is designed to process arbitrary user content, so missing disclosure materially increases the risk of accidental exfiltration of sensitive or proprietary data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples show reading uploaded or local document text and feeding it into persona extraction and generation workflows without a prominent warning about sensitive-file handling. Because the skill supports ingesting arbitrary documents and persistent persona matching/storage, confidential text could be processed, retained, or transmitted without the user's informed consent.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The default persona hard-codes a Chinese-language identity, catchphrases, and a specific Chinese TTS voice without any evidence of user consent, locale negotiation, or fallback behavior. In a content-generation skill, this can cause unintended voice/language output, mismatch user expectations, and create privacy/accessibility or policy issues when users are impersonated or profiled into a locale they did not choose.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.