Back to skill

Security audit

GEO内容违禁词检测与智能替换

Security checks across malware telemetry and agentic risk

Overview

This skill performs content checking as advertised, but its bundled paid-license service, automatic file writes, and credential-bearing network calls need review before installation.

Install only if you are comfortable with an automated content-rewrite workflow and the paid-license design. Use local/free mode for sensitive drafts, require confirmation before saving rewritten files, set GEO_API_ENDPOINT only to a trusted HTTPS service, avoid putting admin tokens in URLs, and review the prohibited-word list before relying on it for moderation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions even though its documented behavior uses environment variables, reads local files, writes output files, and performs network-based API-key validation. This undermines informed consent and security review because operators cannot accurately assess the skill's access scope before use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose is local prohibited-word detection and replacement, but the documented behavior introduces API-key billing, remote verification, result truncation, and other monetization infrastructure not central to that purpose. Description-behavior mismatch is dangerous because users may expose credentials or content under the assumption the skill is only performing local compliance checks.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
API-key billing activation and remote verification are not necessary for the core task of detecting prohibited words in text, so they expand the attack surface without strong functional justification. This creates risk of credential misuse, remote tracking, and unexpected outbound communication during a content-processing workflow.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill automatically saves modified files and writes output into the working directory without asking for confirmation. Automatic writes can overwrite user expectations, leak sensitive processed content into shared directories, or create unauthorized derivative files in environments where file changes should be tightly controlled.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The deployment guide introduces remote license verification, paid access control, and credit deduction infrastructure that is not reflected in the declared skill purpose of prohibited-word detection and replacement. This capability expansion increases attack surface, adds external network dependencies, and creates undisclosed billing/telemetry behavior that users or reviewers may not expect from a content-compliance skill.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The document instructs operators to configure an admin token and exposes key-management operations such as issuing, recharging, and revoking API keys, which are unrelated to the end-user safety function of word checking. Embedding secret-management and administrative control workflows inside a simple detection skill increases the chance of credential mishandling, privilege misuse, and repurposing the skill as a lightweight licensing backend.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file is presented as part of a prohibited-word checking skill, but it actually implements a license-key verification and credit-deduction backend. This capability mismatch is dangerous because it introduces hidden billing and access-control functionality that users, reviewers, or platform operators may not expect, increasing the risk of undisclosed monetization, tracking, or abuse.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The admin endpoints allow key issuance, recharge, balance queries, and revocation even though those capabilities are unrelated to prohibited-word checking. In a skill context, undocumented administrative control planes are risky because they expand attack surface, enable covert service monetization or user management, and may expose sensitive operational functions if misconfigured or reused insecurely.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The module comments describe a prohibited-word detection service, but the implementation is a licensing and billing API. This discrepancy undermines trust and reviewability, making it easier for hidden non-core behavior to evade scrutiny and harder for operators to assess what data and privileges the component actually uses.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script introduces an unrelated remote billing verification path for a local text-scanning utility and sends the API key to a configurable endpoint. In a skill context, this expands trust boundaries and creates a credential-exposure risk, especially because the endpoint can be supplied externally via CLI or environment variables.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad enough to activate on generic compliance-related requests, which can cause the skill to run in contexts the user did not intend. In this skill, that matters because activation may lead to automatic file reads, content processing, and output writes without a narrowly scoped user request.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs automatic file reads and subsequent processing without a user-facing warning that local files may be accessed and later modified. Silent file access increases privacy and safety risk, especially when users provide paths expecting inspection rather than autonomous workflow execution.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill enables API-key-based HTTP validation without clearly warning that credentials and potentially content-related metadata may be sent to a remote endpoint. Hidden outbound transmission is particularly risky in a text-review tool because users may assume their content remains local while API keys and usage data are exposed externally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill performs automatic text replacement and writes derived files without warning users that the content will be altered without confirmation. Unreviewed modifications can introduce errors, destroy auditability of the original text, or create compliance and integrity issues if the rewritten output is treated as authoritative.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The prohibited-words list suppresses broad categories of ordinary political speech, including names of officials, ideology, and state-related terms, without any visible user consent, regional scoping, or policy rationale. In a content-checking skill, this creates a real censorship and abuse risk because benign user content can be flagged, altered, or blocked for non-safety reasons under the guise of compliance.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The list includes broad English political and geopolitical vocabulary that is ordinary public discourse rather than inherently harmful content. This overbroad policy embedding can silently bias or suppress normal discussion across languages, making the skill capable of inappropriate moderation and discriminatory content handling.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The balance query example places the admin_token in the URL query string, which is commonly logged by browsers, proxies, server logs, analytics tools, and shell history. Exposure of this token would allow an attacker to perform administrative operations against the billing service, such as viewing balances or potentially managing customer keys if the same token is reused across endpoints.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code transmits the provided API key to a remote service without an explicit runtime confirmation or prominent disclosure beyond help text. In an agent/skill environment, users may not realize that invoking full detection causes secret material to be sent off-host, which can lead to credential leakage if the endpoint is untrusted or attacker-controlled.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.