Back to skill

Security audit

LinkFox 账号与环境引导

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for LinkFox onboarding, but it handles SMS login codes, API keys, endpoint overrides, and payment-order creation with limited safeguards.

Review before installing. Use it only if you trust the LinkFox publisher and are comfortable with your agent seeing your phone number, SMS code, and LinkFox API key. Prefer manual registration/API-key creation if possible, verify that LinkFox endpoint environment variables point only to trusted LinkFox domains, avoid using anyone else’s phone number, and store the API key in a safer secret manager or session-only environment variable when practical.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Tainted flow: 'url' from os.environ.get (line 241, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if with_uid:
        headers["uid"] = uid or _LOGIN_FIXED_UID
    try:
        r = requests.post(url, json=body or {}, headers=headers, timeout=30)
        return r.json()
    except Exception as e:
        return {"_error": str(e), "_body": getattr(e, 'response', None) and e.response.text[:500] if hasattr(e, 'response') else ""}
Confidence
95% confidence
Finding
r = requests.post(url, json=body or {}, headers=headers, timeout=30)

Tainted flow: 'url' from os.environ.get (line 241, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if group_id:
        headers["tid"] = group_id
    try:
        r = requests.post(url, json=body or {}, headers=headers, timeout=30)
        return r.json()
    except Exception as e:
        return {"_error": str(e), "_body": getattr(e, 'response', None) and e.response.text[:500] if hasattr(e, 'response') else ""}
Confidence
96% confidence
Finding
r = requests.post(url, json=body or {}, headers=headers, timeout=30)

Tainted flow: 'req' from os.environ.get (line 248, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
},
        )
        try:
            with urlopen(req, timeout=30) as resp:
                raw = resp.read().decode()
            return json.loads(raw)
        except urllib.error.HTTPError as e:
Confidence
94% confidence
Finding
with urlopen(req, timeout=30) as resp:

Tainted flow: 'req' from os.environ.get (line 248, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
time.sleep(1 << (attempt - 1))
        req = Request(url, method="GET", headers={"Authorization": api_key})
        try:
            with urlopen(req, timeout=30) as resp:
                raw = resp.read().decode()
            return json.loads(raw)
        except urllib.error.HTTPError as e:
Confidence
94% confidence
Finding
with urlopen(req, timeout=30) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill directs the agent to read environment variables, write persistent shell configuration files, and make network-backed registration/payment calls, but it does not declare those capabilities or present explicit consent boundaries. That increases the chance that a host or user will not understand the skill’s effective privileges, especially because it handles credentials and payment flows.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script claims phone numbers are masked in output, but the invalid-format error path interpolates the full user-supplied phone value into the errmsg field. This can leak sensitive personal data into stdout, logs, orchestration layers, or chat transcripts, especially in an onboarding flow where phone numbers are expected to be handled carefully.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill asks the user for a phone number and SMS verification code and then sends them through scripts to external services, but it does not clearly warn that these are sensitive authenticators being transmitted off-platform. SMS codes are effectively one-time login secrets, so collecting and relaying them through the agent creates phishing-like account takeover risk if the flow or endpoint is compromised.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The environment-variable setup instructions append the API key to shell rc files, which stores the secret in persistent plaintext on disk and may expose it to local users, backups, sync tools, or later accidental disclosure. The skill mentions duplicate lines but not the security implications of long-term plaintext secret storage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document defines end-to-end flows to obtain, generate, and use API tokens, access tokens, refresh tokens, JWT-derived identifiers, and payment/order details, but does not require masking, minimal disclosure, or explicit user consent before handling or presenting those secrets. In an agent skill context, this omission is dangerous because the skill is specifically designed to bootstrap credentials and billing actions, increasing the chance that secrets are exposed in chat, logs, screenshots, or downstream tool output.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents a phone-number and SMS-code login/registration flow that can create or access accounts and trigger onboarding actions, yet it lacks clear warnings about privacy impact, account ownership verification, consent, and the consequences of using someone else's phone number. Because the flow can log in existing users or auto-register new ones and then generate API credentials, misuse could lead to unauthorized account access, credential issuance, and billing exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs a real order-creation action and generates payment artifacts immediately after only local argument validation, with no built-in confirmation gate, dry-run mode, or explicit user-consent check in the execution path. In this skill’s context, triggering billing and payment QR generation is a financially sensitive side effect, so accidental or indirect invocation could cause unwanted charges or social-engineering pressure to pay.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs sensitive authenticated actions—logging in with an SMS code, triggering account-side effects for new users, and retrieving or generating an API key—without any built-in confirmation, consent gate, or explicit warning at execution time. In an agent-skill context, that makes accidental credential provisioning and secret exposure more dangerous because the skill can normalize obtaining long-lived API credentials from a user’s phone-based login flow.

Ssd 3

High
Confidence
97% confidence
Finding
This skill instructs the agent to collect a user’s phone number and SMS verification code, log in on the user’s behalf, retrieve or generate an API key, and then handle that key for configuration. That centralizes multiple sensitive credentials in the agent workflow and materially increases the blast radius of prompt leakage, logging exposure, malicious skill modification, or operator compromise.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.