Back to skill

Security audit

Rewrite Question

Security checks across malware telemetry and agentic risk

Overview

This skill mostly performs question rewriting, but it also uses external LLM services, environment credentials, QA SQL templates, Milvus retrieval, and cleanup behavior that are not clearly disclosed in the user-facing description.

Install only if you trust the publisher and are comfortable sending query text, conversation history, QA examples, and SQL templates to the configured LLM endpoint. Review GEMINI_API_URL, GEMINI_API_KEY, GEMINI_TOKEN, and Milvus settings before use, avoid sensitive business data unless the endpoint is approved, and use --clean only when deleting the named workflow outputs is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises only a simple query-rewriting function, yet the documented/runtime behavior indicates access to environment variables, file writes, and networked services without any declared permissions or user-facing disclosure. This hidden capability expansion weakens reviewability and can expose secrets, alter local workflow state, or exfiltrate data if the skill is invoked in a broader agent pipeline.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a substantial description-behavior mismatch: a skill presented as context completion/query rewriting apparently also performs QA matching, SQL generation/update, external Gemini API calls, Milvus access, and reads secrets from .env/environment variables. Such undisclosed behavior is dangerous because operators may trust and route sensitive user queries into a component that can transform them into database-affecting logic and transmit data to external services.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is described as a question-rewriting component, but its main execution path can return LLM-produced SQL via matched QA pairs and bypass downstream safeguards. This is a dangerous scope mismatch because a caller expecting harmless text normalization may unknowingly invoke query-generation behavior that could be executed elsewhere in the pipeline.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The standalone mode reaches out to Milvus to retrieve thousands of QA pairs, which is not disclosed by the skill description and materially expands its data access surface. Hidden retrieval behavior increases the chance of unintended data exposure and makes it harder for operators to reason about what external systems and datasets the skill touches.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code gives the skill an unjustified capability to generate or modify executable SQL using an external LLM based on QA templates and user input. If downstream systems trust this output, an attacker can influence query semantics, potentially causing unauthorized data access, excessive queries, or harmful SQL to flow through the system.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill loads environment-based service credentials and constructs remote service access for Gemini, including a built-in fallback token, despite being presented as a simple rewrite utility. This unnecessary privilege and connectivity broadens the blast radius if the skill is misused or embedded in a less trusted environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The markdown instructs users to run a mode that writes workflow output and a '--clean' option that clears this and subsequent intermediate files, but it provides no warning about data modification or deletion. In an agent or automation environment, undisclosed write/delete behavior can cause loss of artifacts, break reproducibility, or erase evidence needed for debugging and auditing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
User queries and formatted conversation history are sent to an external LLM endpoint without any explicit disclosure, consent, minimization, or masking visible in this code. In a conversational analytics system, history can contain sensitive business data, making silent exfiltration to third-party services a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code transmits QA question text and SQL templates to an external LLM to rewrite time conditions, exposing potentially sensitive internal logic, schema knowledge, and query patterns. Even if no credentials are sent, leaking proprietary SQL and business semantics to a remote provider can materially increase data governance and confidentiality risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
index.js:101

Python code POSTs credential environment variables to an environment-controlled URL.

Critical
Code
suspicious.env_credential_access
Location
rewrite_question.py:508

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
index.js:91