闻其声耳轻松可视采耳

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent ear-care customer-service core, but it also asks for automatic remote installation, persistent updates, and includes unrelated multi-role development bot behavior that needs review before use.

Install only after reviewing the scripts. Prefer manual installation from a pinned commit or reviewed release, do not add the keyword-based CLAUDE.md auto-install rule, disable cron or Scheduled Task auto-updates unless explicitly needed, and do not deploy the platform bot server until request verification and group-message collection behavior are fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (42)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The README frames the skill as a simple store-information customer service tool, but the documented behavior includes unattended remote installation and daily auto-update on the user's machine. That creates a materially broader trust and execution boundary than the stated purpose, allowing future repository changes to run code locally without explicit user review.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The README instructs agents to fetch and immediately execute remote shell and PowerShell code via command pipelines. This is dangerous because any compromise of the repository, upstream hosting, or update path can lead to arbitrary code execution on the user's machine, which is unnecessary for a store Q&A skill.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The CLAUDE.md instructions create persistent keyword-triggered self-installation and update behavior in the agent's global configuration. This extends the skill from answering questions into an ambient capability that can execute shell commands and pull updates whenever broad trigger words appear, increasing the chance of abuse or unintended execution.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The README instructs users to execute a remote installer via shell piping and states that auto-update will be configured automatically. For a customer-service skill that should answer store information, this installation pattern is unnecessary and dangerous because it grants arbitrary code execution on the user's system and creates ongoing update-based code execution risk.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The auto-discovery section tells agents to install the skill automatically on keyword mention and to run git-based updates before use. This exceeds the expected scope of a store-info skill and creates a trigger path from ordinary conversation to local command execution and retrieval of unreviewed remote content.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file contains a generic multi-provider LLM client plus multi-role reviewer/frontend/backend software-development agent prompts, which substantially exceed the declared ear-care store customer-service purpose. This expands capability from narrow customer support into general task orchestration and code-generation behavior, increasing the risk of misuse, prompt injection impact, and unauthorized repurposing of the skill.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The collaborative software-engineering agent capability is unjustified by the advertised business purpose and introduces powerful off-scope behavior. In this skill context, hidden or unnecessary agentic development features are especially risky because they can be triggered or repurposed to generate code, coordinate bots, and act outside expected customer-service boundaries.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The root endpoint advertises a multi-role collaborative development workflow and exposes reviewer/frontend/backend bot routes that do not match the declared ear-care customer-service skill. This kind of scope mismatch is dangerous because it can hide undeclared capabilities, expand the attack surface, and mislead deployers or reviewers about what the skill actually does.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The role-specific Feishu endpoints for reviewer, frontend, and backend bots are unrelated to the stated store-customer-service function. Undeclared role endpoints create hidden functionality and additional entry points that could be abused or accidentally exposed in production.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The module header and startup text describe a collaborative development bot server rather than an ear-care storefront assistant. This inconsistency is a supply-chain and trust risk because reviewers and operators may approve or deploy software under false assumptions about its purpose and behavior.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The function claims to verify DingTalk request signatures but always returns True, so any party that can reach the endpoint can forge platform messages. In a customer-service skill that forwards message content to the AI backend and stores conversation history by sender identifier, this enables spoofed requests, unauthorized use, conversation poisoning, and possible abuse of downstream AI resources.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file implements a Feishu multi-bot orchestration system with reviewer/frontend/backend roles, which materially exceeds the declared ear-care store customer-service purpose. This capability expansion is dangerous because it enables general-purpose coordinated agent behavior in group chats, creating an opportunity for unauthorized task routing, broader data access, and misuse inconsistent with user expectations for a simple store FAQ skill.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The code unconditionally stores every group text message into shared conversation history before deciding whether the bot should respond. This is dangerous because it collects unrelated group chat content, including messages not directed at the bot, and makes that content available for later model processing and cross-role reuse without any scope restriction.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Multi-role reviewer/frontend/backend coordination is not justified by the stated storefront customer-service use case and expands the operational surface of the skill. Even if not overtly malicious, this creates unnecessary privilege and behavior complexity, making abuse, prompt cross-contamination, and unauthorized automation more likely in a consumer-facing support setting.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The comments claim unrelated group chat will not be handled, but the implementation still records all messages into shared history. This mismatch is dangerous because maintainers and reviewers may assume the privacy boundary is narrower than it really is, allowing silent overcollection and later reuse of unrelated user content.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The GET verification handler explicitly skips the required WeCom signature validation and echostr decryption, and in some cases returns echostr directly even when secrets are unset. This allows unauthenticated requests to appear valid and breaks the trust boundary for platform verification, enabling spoofed verification or incorrect endpoint exposure.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The decryption helper is documented as handling WeCom message decryption but simply returns the input unchanged. If later used or assumed to provide authenticity/confidentiality guarantees, encrypted or signed payloads would be processed without actual verification, creating a dangerous false sense of security.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The installer establishes persistent OS-level behavior by creating a daily scheduled task, which exceeds what is necessary for a storefront information/customer-service skill. Even if intended for convenience, persistence increases attack surface because future repository changes or compromised update scripts would execute automatically without the user re-approving them.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script registers a Windows scheduled task that launches bash to run a shell script on a daily basis, creating cross-shell persistence unrelated to the stated ear-care customer-service functionality. This is dangerous because it enables unattended code execution from the installed skill directory, so any later modification of the update script or repository could be executed automatically at the OS level.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The installer establishes persistent cron-based execution for a customer-service skill, which exceeds what is necessary to install static skill content. This creates an ongoing code-execution path that can silently pull and run future changes, increasing supply-chain and persistence risk if the repository or update script is ever modified or compromised.

Vague Triggers

High

Confidence: 90% confidence
Finding: The trigger keywords include broad everyday terms such as '采耳' and related phrases, which can cause accidental activation in unrelated conversations. In combination with automatic installation behavior, overly broad triggers materially increase the risk of unintentional code execution and persistence.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The activation scope is described broadly as any question about the store and related services, without clear boundaries or exclusions. While less severe than direct code execution, vague activation rules increase the likelihood of unintended triggering, especially when paired with auto-load or auto-install mechanisms.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The documentation encourages remote-script installation and automatic updating but does not warn users that arbitrary shell or PowerShell commands will execute locally and may continue updating over time. Lack of transparent risk disclosure undermines informed consent and makes socially engineered adoption more likely.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The auto-install and update instructions omit clear warnings that the agent will execute shell commands and git operations in the background based on conversational keywords. Users may reasonably think they are enabling only store Q&A, when in fact they are granting ongoing command execution capability tied to loosely scoped triggers.

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger phrases are broad and include common terms like 'ear cleaning' and 'ear care', and the README pairs them with automatic installation. This makes accidental or adversarial invocation more likely, turning benign conversation text into a mechanism for installing and updating code without a clear trust boundary.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal