Back to skill

Security audit

亚马逊-广告报表

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims for Amazon Ads reports, but it handles sensitive ad data with default local file serving and broad local retention that users should review before installing.

Install only in a trusted local environment. Treat Amazon Ads reports, saved paths, and temporary download links as sensitive business data. Prefer passing serveExtractedFileHttp=false for sensitive reports, avoid changing serveHost away from 127.0.0.1, and periodically delete the generated temp report files and linkfox output directory if you do not need retained copies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documentation materially understates behavior: it says the skill directly returns structured report data, but the documented flow also persists full responses to disk, starts a local HTTP server, exposes temporary download links, and may expose Amazon source URLs. That mismatch can cause users and calling agents to disclose or retain sensitive advertising data in ways they did not expect, weakening informed consent and safe handling of report contents.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill advertises returning structured data, but it also exposes downloaded report files via a local HTTP server and returns local filesystem paths/URIs. That expands the data exposure surface and can unintentionally disclose sensitive ad-performance data to other local users, processes, or browser contexts on the host.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script starts a local HTTP server by default to serve the extracted report, which is not necessary for core report retrieval and increases the attack surface. Even when bound to 127.0.0.1 by default, sensitive report data becomes accessible to other local processes, browser extensions, or users on the same machine; if serveHost is changed, exposure can become broader.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill mandates writing full response data to local disk for every run without a clear user-facing warning or consent mechanism. Amazon Ads reports can contain sensitive commercial data, and automatic persistence increases the risk of unintended retention, local disclosure, or later access by other tools, users, or processes on the same machine.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents automatically exposing downloaded Amazon Ads report data via a temporary local HTTP server and even enables it by default. Even though it binds to 127.0.0.1, this can still expose sensitive advertising data to other local users, browser-based localhost access, malware, or unintended processes on the same machine, especially without an explicit warning or stronger access controls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The sample curl request includes an Authorization bearer token pattern and other credential-bearing headers directly in documentation without an explicit warning to use placeholders, protect secrets, or avoid committing real tokens. In an API integration skill focused on Amazon Ads reporting, users are likely to copy-paste examples, which increases the chance of accidental credential exposure in terminals, logs, screenshots, chat transcripts, or source control.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Local HTTP serving is enabled by default without requiring explicit user acknowledgement at the point of action. For a skill handling potentially sensitive Amazon Ads reports, silently creating a reachable download endpoint violates secure-by-default principles and can expose data to unintended local consumers.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill instructs persistent storage of complete response data and encourages exposing local file paths and temporary access links in normal workflow output. This increases the chance that sensitive report contents, account identifiers, and retrievable artifacts are leaked into chat history, logs, screenshots, or shared terminals, especially because a local HTTP server expands the exposure surface beyond simple local storage.

Ssd 3

Medium
Confidence
95% confidence
Finding
Requiring the agent to always show the complete local file path and access link unnecessarily discloses sensitive artifact locations and retrieval mechanisms. Even if the link is temporary, revealing it in conversational output can leak access through transcripts, clipboard history, terminal scrollback, or collaboration tools.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.