Back to skill

Security audit

inquiry analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent with Alibaba inquiry reporting, but it uses a logged-in browser session to gather and store sensitive customer data and can trigger OKKI background checks without strong scoping controls.

Install only if the operator is authorized to use the logged-in Alibaba account for inquiry analysis and OKKI background checks. Run it on a trusted machine, review generated reports/chats/okki-reports/debug-dumps for sensitive customer data, delete outputs when no longer needed, and avoid relying on external INQUIRY_ANALYZER_PATH overrides unless you trust the target directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
72% confidence
Finding
The skill declares no permissions, yet its documentation explicitly relies on environment variables and external runtime capabilities. This creates a transparency and trust problem: users and reviewers are not given an accurate picture of what the skill can access or depend on, which can hide data flow or execution assumptions. In a skill that processes customer inquiry data and writes reports, undeclared capabilities increase the risk of unexpected access paths and unsafe deployment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior materially exceeds the stated purpose: beyond inquiry analysis, it performs OKKI background investigation, report merging, and product-management scraping/caching. This mismatch is dangerous because users may invoke a seemingly narrow reporting skill while it accesses additional systems and collects more customer/company intelligence than expected, expanding both privacy and security exposure. The discrepancy is especially concerning because the extra functions involve potentially sensitive customer profiling data.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest presents the skill as an inquiry-analysis tool, but the documentation exposes additional background-investigation and report-merging features. This is a genuine security-design issue because hidden or under-described secondary functions reduce informed consent and make policy review less effective. In enterprise contexts, undocumented data-enrichment features can lead to unauthorized processing of customer information.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Customer background-investigation functionality goes beyond basic inquiry analysis and can materially increase the amount and sensitivity of collected data, such as company, email, tags, and analytical summaries. That expansion raises privacy, compliance, and misuse risks if users are not clearly informed or if access is broader than necessary. In this context, the skill is connected to sales/customer systems, so over-collection is more dangerous than in a purely local analytics tool.

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
The documented scraping of product-management pages and maintenance of local mapping/cache files exceeds the narrow stated purpose of extracting fields from inquiry data. While lower risk than customer background checks, it still broadens the skill's operational scope and introduces persistence of potentially sensitive business metadata. Hidden scraping and caching can surprise users and complicate review of what internal data the skill stores locally.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script persistently writes full customer chat histories to `chats/` and also stores reports containing customer identifiers, country, handler, and inquiry metadata to disk. In a skill whose stated purpose is inquiry analysis/report generation, retaining raw chats and sensitive customer data without minimization, access controls, or explicit consent materially increases confidentiality and privacy risk beyond what is necessary for producing structured reports.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The debug helper saves full-page screenshots, complete HTML/DOM, and extracted script/JSON blobs from inquiry pages to local disk. Those captures can contain far more customer and account data than needed for normal analysis, creating a broad data exposure mechanism if the machine is shared, compromised, or the artifacts are later mishandled.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements bulk OKKI background-check extraction, including customer identity, company, email, and generated intelligence reports, which materially exceeds the manifest’s stated purpose of simple inquiry analysis. This scope mismatch is dangerous because users or reviewers may grant the skill permissions and trust assumptions appropriate for analytics, while the code actually performs richer surveillance-style data collection and persistence.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script does not merely read existing inquiry data; it actively clicks “发起背调” to initiate new background investigations and then waits for generated results. Triggering new intelligence gathering changes system state and can cause unauthorized collection of personal or company information beyond the user’s expected read-only analysis request.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code extracts sensitive intelligence fields including name, country, email, company, tags, summaries, and mined profile/company details from the OKKI panel. Collecting and structuring this expanded dataset outside the declared inquiry-analysis scope increases privacy exposure and creates a larger pool of potentially sensitive business and personal information that can be misused or over-retained.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The wrapper trusts INQUIRY_ANALYZER_PATH to locate and execute inquiry-analyzer.js, so anyone who can influence the environment can redirect execution to attacker-controlled code. In an agent or automation context, environment variables are often easier to tamper with than the packaged skill files, making this an arbitrary code execution path outside the stated inquiry-analysis function.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script probes multiple broad filesystem locations and executes the first matching file it finds, which can cause untrusted local code to run if any searched path is writable or can be pre-populated by an attacker. This expands the execution surface beyond the bundled skill and makes behavior dependent on ambient host state rather than trusted package contents.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill writes inquiry data, customer information, and chat records to local Markdown, CSV, and text files, but the description does not prominently warn users about this export behavior. This is dangerous because local report generation creates residual sensitive data that may be accessible to other users, backup systems, or later processes. The inclusion of raw chat transcripts increases the chance of unintended disclosure of personal or confidential business information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes customer chat histories and generated reports with personal/business data to local files without any user-facing warning, confirmation, or consent workflow. Even if local persistence is intended, silently exporting sensitive records can violate least surprise, internal handling policies, and privacy expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The debug path captures sensitive inquiry pages to screenshot, HTML, and JSON files without notifying the operator that customer-visible and backend-rendered data may be stored. Because this capture is triggered automatically when title extraction fails, a routine parsing issue can unexpectedly cause large sensitive dumps to be created.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes customer email, company, and background-analysis content into local Markdown and CSV files under okki-reports without any warning, consent flow, access restriction, or retention control. Persisting sensitive data to disk increases the chance of accidental disclosure, unauthorized reuse, or leakage through backups, shared workstations, or downstream processing.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/run-analysis.js:98

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/run-okki.js:96