Back to skill

Security audit

cn-geo-monitor

Security checks across malware telemetry and agentic risk

Overview

The skill is a real China-focused AI search optimization helper, but it sends user business/content data to external API endpoints and contains an unsafe script input-handling pattern that warrants review before installation.

Install only if you are comfortable sending brand, competitor, keyword, and content text to the listed Tencent Cloud Function API. Avoid using unpublished confidential material, and do not run predict.sh on untrusted or adversarial text until the payload construction is fixed and the skill adds clear network-use disclosure and user confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises executable CLI scripts and shell usage but, per the finding, does not declare corresponding permissions. Undeclared execution capability reduces transparency and can cause users or the host agent to invoke shell-backed behavior without an explicit trust decision, which is risky when the skill also reaches external endpoints.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill claims narrowly scoped China-specific GEO functionality, but the described behavior includes broader generic GEO access and omits several headline features such as real visibility checks and competitor comparison. This mismatch is dangerous because users may disclose brand, competitor, or content data under false assumptions about what the skill actually does, undermining informed consent and trust boundaries.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger list contains broad phrases such as generic Chinese GEO and competitor-analysis terms, which can cause the skill to activate on unrelated prompts. Overbroad activation increases the chance that user content is routed into this skill unexpectedly, especially given its external API usage and domain-specific workflow mandates.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to submit brand names, competitor names, keywords, and content for prediction and checking, but does not clearly warn that this information is sent to external APIs. This is a substantive privacy and confidentiality issue because competitive strategy, unpublished content, or sensitive business data could be transmitted off-platform without informed user consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script makes outbound network requests to a remote API endpoint without any explicit user disclosure, confirmation, or offline mode. In a security-sensitive environment, undisclosed network access can leak user intent, queried engine names, IP address, and execution metadata to a third-party service, which is especially relevant because this skill is marketed as an executable CLI tool.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits the full user-provided content to a remote Tencent Cloud Function endpoint for scoring, but the user-facing interface does not clearly warn that their input will leave the local environment. This creates a privacy and data-handling risk, especially if users paste unpublished marketing copy, internal brand plans, or sensitive business content into the tool.

VirusTotal

2/64 vendors flagged this skill as malicious, and 62/64 flagged it as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.