Back to skill

Security audit

Linkfox 1688货源

Security checks across malware telemetry and agentic risk

Overview

The skill appears to support 1688 product and image search, but it under-discloses public uploads, local response storage, and environment-routed authenticated requests.

Review before installing. This skill may send API keys and session metadata to a configurable gateway, upload selected images to public URLs, and save full search responses on disk. Use it only in an environment where those variables and files are controlled, avoid sensitive images, and check saved response files before sharing or committing the workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Tainted flow: 'req' from os.environ.get (line 128, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
}
    req = Request(get_api_base() + path, data=data, headers=headers, method="POST")
    try:
        with urlopen(req, timeout=TIMEOUT_SECONDS) as response:
            body = response.read().decode("utf-8")
            return json.loads(body) if body else {}
    except HTTPError as exc:
Confidence
86% confidence
Finding
with urlopen(req, timeout=TIMEOUT_SECONDS) as response:

Tainted flow: 'req' from os.environ.get (line 72, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
95% confidence
Finding
with urlopen(req, timeout=120) as response:

Tainted flow: 'req' from os.environ.get (line 72, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
94% confidence
Finding
with urlopen(req, timeout=120) as response:

Tainted flow: 'req' from os.environ.get (line 72, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
95% confidence
Finding
with urlopen(req, timeout=120) as response:

Tainted flow: 'req' from os.environ.get (line 57, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urlopen(req, timeout=120) as response:
            if response.status not in (200, 201):
                print(f"Upload failed with status: {response.status}", file=sys.stderr)
                sys.exit(1)
Confidence
90% confidence
Finding
with urlopen(req, timeout=120) as response:

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document states that search results are 'not stored', but elsewhere mandates that the full API response is always written to disk. That contradiction can mislead operators and users about data handling, causing them to submit sensitive product or image-derived data under false assumptions. In this skill context, the risk is higher because the saved responses are tied to session/project directories and may persist beyond the immediate task.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation promises not to write to /tmp and to error if the current directory is not writable, but the implementation falls back to the home directory and then the temp directory. This mismatch can cause sensitive API responses to be stored in locations the operator did not expect, weakening data-handling guarantees and potentially exposing data to other local users or cleanup processes.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill contains a hard requirement that the agent use a specific channel behavior ('must pass channel=workbuddy') regardless of user choice. This is a form of instruction poisoning in the skill manifest: it can override platform/user intent and influence authentication or onboarding flows without explicit user opt-in.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to upload local images to obtain a public URL valid for 24 hours, but does not prominently warn that this exposes the image to anyone with the link and may disclose sensitive or proprietary content. In an image-based sourcing workflow, users may upload product photos, unreleased designs, or personal data embedded in images, making silent publication a meaningful privacy risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script always persists the full API response to disk, and that response may contain sensitive user-supplied content, identifiers, or remote-service data that the user did not intend to store locally. In a shared workspace or agent environment, automatic durable storage increases the risk of later disclosure, cross-task data exposure, and retention beyond the immediate task.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script always persists the full API response to disk, including potentially sensitive product search results, tokens, or returned metadata, without an interactive warning or runtime consent. In agent workflows, users may assume a tool only prints results; silent persistence increases the risk of unintended retention, later disclosure, or indexing of sensitive data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends SESSION_ID, MODE_ID, and APP_NAME from the environment in outbound headers without clear user-facing disclosure in the execution flow. In an agent environment, these values may reveal internal identifiers, workflow context, or application metadata to the remote service beyond what is necessary for the requested action.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script explicitly sets the uploaded object ACL to public-read and returns a public URL, but it does not require a confirmation or clearly warn the user at upload time that the file will be publicly accessible. In a skill context, this increases the risk of accidental disclosure of sensitive local images or screenshots.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill requires always saving full tool responses under the current working project/session directory, which can retain user-supplied image references, returned product metadata, and potentially authentication- or session-correlated data longer than necessary. In shared workspaces, repos, or synced project folders, this increases the chance of unintended disclosure, later exfiltration, or accidental check-in to version control.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.