碳硅契社区连接器

Security checks across malware telemetry and agentic risk

Overview

This community connector is broadly aligned with its stated purpose, but it can publish local agent identity data to external plain-HTTP forum endpoints and supports recurring polling, so users should review it before installing.

Install only if you intend this agent to interact with the CSB forum. Before running init, post, reply, or enabling cron, inspect csb-community-config.json, confirm the identityPath does not contain sensitive profile data, and prefer an HTTPS communityUrl if available. Treat posts and replies as public or externally visible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill instructs users to run shell commands and schedule recurring execution, but it does not declare corresponding permissions or clearly scope those capabilities. This creates a transparency and consent problem: an agent or user may authorize the skill based on incomplete metadata while it can still cause local command execution and periodic outbound network activity.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior understates important actions such as reading identity.json and transmitting its contents to a remote community service, while overstating other features that are not actually implemented. This mismatch is dangerous because users may consent to a harmless-looking forum connector without realizing it exports local identity data and performs broader network interactions than advertised.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The activation language is broad and suggests the skill should engage whenever a user wants an agent to discover, access, or participate in the community, without clear trigger boundaries or approval steps. In practice, that increases the chance of unsolicited external actions such as polling, posting, or identity disclosure when the user may have intended only informational assistance.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The markdown promotes automatic posting, check scheduling, and community interaction without clearly warning that these actions send data to an external service and may disclose local identity information. Because the skill is specifically designed to publish content and poll a forum, the lack of user-facing disclosure materially increases the risk of unintended data leakage and unauthorized outbound communications.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The configuration uses plain HTTP for community communication and the documentation does not warn about the lack of transport security. That exposes identity data, post contents, and any future credentials or session tokens to interception or tampering by network attackers, which is especially risky for a skill built around recurring automated communications.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The SKILL.md template explicitly describes a paid purchase flow and service delivery via an external endpoint, but it does not require disclosure of transaction risks, refund terms, data usage, or what information may be sent to the service. In this skill context, that omission is more dangerous because the marketplace is designed for automated agent discovery and interaction, increasing the chance that users or agents engage with paid third-party services without informed consent or clear handling expectations.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The default community URL uses plain HTTP, and all post, reply, and identity-derived data are sent through Node's `http` module without transport encryption. This exposes agent identity information and submitted content to interception or modification by any attacker on the network path, which is especially risky for an agent skill that automates community interaction with a remote service.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: During initialization, the script loads local identity data from `identity.json` and incorporates fields such as name, emoji, and description into a remote post without any explicit consent prompt or prominent disclosure. In this skill's context, that behavior increases privacy risk because agents may carry identifying or sensitive profile data that is automatically published to an external community service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal