Back to skill

Security audit

Bettafish Opinion Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its stated opinion-analysis purpose, but it bundles broad document/PDF tooling and an invasive LibreOffice helper that compiles and preloads native code from /tmp, so it should receive Review before installation.

Install only if you are comfortable with a skill that can send analysis topics to external search/API sites, download media locally, create shareable reports on disk, and invoke office/PDF/video command-line tools. Review or disable the bundled docx LibreOffice shim before use in sensitive environments, and avoid using it for confidential investigations or protected documents unless you have clear authorization and a cleanup/retention plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (22)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
93% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises significant capabilities including network access, shell execution, and local file read/write, but does not declare permissions or boundaries for those operations. This creates a trust and review gap: users and the platform cannot easily assess that the skill may download media, invoke curl/ffmpeg/python, read templates, and write multiple report artifacts locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose is narrow public-opinion analysis, but the described and inferred behaviors include broader local document manipulation, PDF utilities, video frame extraction, template parsing, and other file-processing actions not tightly scoped to the declared task. Such mismatch is dangerous because it hides effective capability breadth, making abuse or unsafe invocation more likely and undermining informed consent and security review.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Setting LD_PRELOAD to inject a custom shared library into LibreOffice is a strong process-manipulation mechanism that alters low-level libc behavior. In the context of a document/report generation skill, this is unusually invasive and dangerous because any compromise of the generated .so or its location results in arbitrary native code execution whenever soffice is launched.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Spawning gcc to build native code during normal skill execution is not a routine requirement for sentiment analysis or report generation and creates an unnecessary execution capability. In combination with later LD_PRELOAD use, this turns the helper into a dynamic native-code deployment path, making the surrounding system materially more dangerous if the environment, temp path, or build inputs are tampered with.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README shows a very broad natural-language trigger example that can activate the skill from ordinary conversational requests without requiring explicit opt-in. In this skill's context, activation leads to real-time web collection, multi-agent processing, and file generation, so accidental invocation can cause unintended network access, analysis of possibly sensitive subjects, and artifact creation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README emphasizes automatic real-time data collection and multi-format report output, but does not warn users that the skill may contact external sites, process potentially sensitive queries, and create local files. In a reputation-analysis skill, targets may be individuals, brands, or incidents, so silent collection/output behavior increases privacy, consent, and data-handling risk.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation guidance is very broad and explicitly says to use this skill even for complex multi-step analysis whenever relevant, which increases the chance of over-triggering. In context, overbroad invocation matters because the skill performs external retrieval, local media downloads, shell commands, and multi-file generation, so accidental activation can expose user queries and consume local resources unexpectedly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill states that it downloads external videos locally and processes them, but does not present a clear user-facing warning about local storage use, temporary files, or generated output artifacts. This is risky because users may unknowingly cause media downloads and accumulation of temporary or final files that can persist on disk and contain sensitive topics or copyrighted material.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill heavily relies on WebSearch, WebFetch, Browser, Curl, and external sites/APIs, yet it does not warn users that their supplied topics, brands, or incident queries may be transmitted to third parties. In a public-opinion analysis context, queries can contain sensitive reputational, legal, or crisis information, making undisclosed external transmission more dangerous.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The document states that final results are exported to HTML/Markdown files but does not clearly warn users that analyzed content may be written to disk. In a reputation-analysis skill that collects public posts, reports may still contain sensitive or regulated information, so silent persistence increases privacy, retention, and accidental disclosure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly requires sending analysis queries and fetched content to external services and websites via WebSearch, WebFetch, Browser, and Curl, but it provides no privacy boundary or warning about exposing sensitive user prompts, investigation targets, or internal context to third parties. In a reputation-analysis skill, the queried subjects themselves may be confidential, making silent transmission of that context materially risky.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide mandates creation of Word, PDF, and HTML reports but does not address that these artifacts can persist sensitive findings on disk, in temporary files, caches, browser-accessible HTML, or shareable attachments. Because the skill is designed for deep analysis of brands, crises, and accounts using real data, the generated reports may contain reputationally sensitive or legally risky material that is easy to redistribute unintentionally.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger description is extremely broad and instructs use for generic requests like any "report," "memo," or "letter," which can cause the subskill to activate outside its intended scope. Over-broad routing increases the chance that unrelated user tasks are handled by a powerful file-manipulation skill, potentially exposing local documents or causing unintended document generation/editing actions.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The script silently writes a LibreOffice Basic macro into a persistent profile under /tmp and later executes it. In an agent skill that processes user-supplied documents, silently introducing executable macro code into an office profile expands attack surface, can create persistence across runs, and may surprise operators who do not expect the tool to install code into an application profile.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The helper silently writes C source into a shared temporary directory and compiles it without disclosure or explicit user consent. While lack of disclosure alone is not code execution, here it obscures behavior that creates executable native artifacts and makes operational review, sandbox policy enforcement, and forensic visibility harder.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is scoped so broadly that it can trigger on a wide range of generic frontend or styling requests, increasing the chance the agent invokes this subskill when a narrower or safer tool would be more appropriate. Over-broad routing can cause capability drift, unnecessary code generation, and unintended handling of requests outside the intended opinion-analysis workflow.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation text says to use this skill whenever the user wants to do anything with PDF files, including whenever a .pdf is merely mentioned. That broad routing can cause the agent to invoke PDF-processing capabilities in contexts where PDF handling is incidental, increasing the chance of unnecessary file access, unintended tool use, or execution of risky document operations without clear user need.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly documents removing PDF passwords and decrypting protected files without any authorization, ownership, or consent checks. In an agentic environment, this normalizes bypassing document protections and could be used to process confidential PDFs the user is not entitled to access, creating data exposure and policy-compliance risk.

External Transmission

Medium
Category
Data Exfiltration
Content
**Curl 使用示例:**
```bash
# API 数据获取
curl -s "https://api.social-media.com/posts?q=某咖啡品牌"

# 带 Headers 的页面请求
curl -s -H "User-Agent: Mozilla/5.0" \
Confidence
83% confidence
Finding
https://api.social-media.com/

External Transmission

Medium
Category
Data Exfiltration
Content
"https://www.example.com/api/data"

# 获取并重定向输出到 Python 处理
curl -s "https://api.example.com/data" | python -c "import sys,json; print(json.load(sys.stdin))"
```

### MediaAgent 视频分析
Confidence
85% confidence
Finding
https://api.example.com/

External Script Fetching

High
Category
Supply Chain
Content
2. WebSearch("site:weibo.com 某咖啡品牌")
3. Browser 访问关键页面获取详细内容
4. WebFetch 获取页面结构化数据
5. Curl 命令行获取 API 数据或特殊页面
```

**Curl 使用示例:**
Confidence
88% confidence
Finding
Curl 命令行获取 API 数据或特殊页面 ``` **Curl 使用示例:** ```bash # API 数据获取 curl -s "https://api.social-media.com/posts?q=某咖啡品牌" # 带 Headers 的页面请求 curl -s -H "User-Agent: Mozilla/5.0" \ -H "Accept: application/j

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.