文件加解密 (file-crypto)

Security checks across malware telemetry and agentic risk

Overview

This encryption/authentication skill appears useful, but it has Review-level concerns around unclear remote backend use and exposing a reusable auth token in chat.

Review this skill carefully before installing. Only use it if you understand what backend service it contacts, what file data or metadata is sent, and how authIds are protected. Treat any authId as a secret: do not paste it into shared chats, logs, screenshots, or issue reports, and prefer a secure secret store or short-lived session handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The skill claims it does not access any external network, but the configuration example includes a remote API endpoint and multiple sections reference backend responses. This mismatch can mislead reviewers and users about data flow and trust boundaries, causing sensitive file metadata or authentication operations to be treated as local-only when they may depend on a remote service.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger conditions are overly broad, effectively forcing invocation whenever file encryption concepts or certain paths are mentioned. This increases the chance of unintended execution on sensitive server-local files or credential workflows without sufficient user confirmation or scope validation.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The skill instructs the agent to return the full authId directly to the user with no warning or handling restrictions. Since authId is an authentication token used for later encryption/decryption operations, exposing it in plaintext creates a credential disclosure risk and enables misuse by anyone who gains access to the conversation or logs.

Ssd 3

High

Confidence: 100% confidence
Finding: This is a direct secret-exposure issue: the workflow explicitly tells the agent to reveal a valid authentication token in plain language. In context, the token grants access to file crypto operations for 15 days, so disclosure could enable unauthorized encryption/decryption actions, replay, and downstream compromise through chat history, logs, screenshots, or prompt leakage.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal