Back to skill

Security audit

Content Collector

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its content-collection purpose, but it deserves Review because it can automatically use browser/session credentials, write into an Obsidian vault, and invoke helper scripts outside the reviewed package.

Install only if you want an agent to persistently save fetched content, transcripts, images, comments, and metadata into local collections and possibly your Obsidian vault. Use a dedicated vault and browser profile if possible, avoid exposing private browser sessions or sensitive intranet pages, and review or supply the missing helper scripts yourself before relying on the workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes file reads/writes, network fetching, env usage, and syncing to an external Obsidian vault, but no explicit permission model is declared. That creates an authorization gap: a caller may invoke a seemingly simple 'content collection' skill without realizing it can modify local files, access sensitive environment-backed credentials, and exfiltrate fetched content to third-party services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose sounds like personal bookmarking, but the workflow expands into broad scraping, media downloading/transcription, external API use, cookie/env-backed access, and synchronization into another knowledge store. This mismatch is dangerous because users and orchestrators may grant trust appropriate for a note-taking skill while the actual behavior has substantially larger privacy, legal, and system-modification reach.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill goes beyond collection by running automatic project association and appending to a writing handoff file, which are side effects outside the user's likely mental model. This increases the risk of unauthorized data propagation, cross-project contamination, and accidental disclosure of collected material into unrelated workflows.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
Appending to Obsidian Daily Notes introduces writes outside the primary collection store and is not clearly necessary for the advertised bookmark/knowledge-management function. Because this side effect is automatic and skipped only when CLI is unavailable, it can modify unrelated personal notes and create unexpected persistence in a broader area of the user’s vault.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script accepts Bilibili cookies from a local file or environment variable and automatically attaches them to outbound requests, enabling use of the operator's authenticated session. For a content-collection skill, this introduces credential handling and account-context access without clear necessity, consent, or guardrails, increasing the chance of session misuse or accidental exposure.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script invokes yt-dlp with `--cookies-from-browser chrome` to access subtitles on Bilibili, which causes the tool to read the user's browser cookie store. That grants access to authentication material far broader than simple transcription needs and is not clearly disclosed or narrowly scoped, creating unnecessary exposure of sensitive session data.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
For Xiaohongshu and Douyin downloads, the script automatically tries Chrome cookies first, again reading browser authentication data without clear necessity or consent. In a content-collection skill, this expands privileges beyond expected behavior and could expose unrelated logged-in sessions if the environment or downstream tools are compromised.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The README states that the skill 'automatically detects collection requests and saves content' without documenting strong trigger boundaries or confirmation requirements. In an agent setting, broad activation language can cause unintended invocation and writes when a user is only discussing content rather than explicitly asking to save it, creating unwanted persistence of data and possible privacy issues.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README describes automatic saving to `<WORKSPACE>/collections/` but does not prominently warn that using the skill causes persistent local storage of fetched content. Users may unknowingly cause the agent to write potentially sensitive URLs, article text, transcripts, or extracted media to disk, which is especially risky in a knowledge-management skill handling broad web content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill automatically writes to workspace files and an Obsidian vault without a prominent user-facing warning or confirmation. Silent data modification is risky because it can overwrite expectations, leak sensitive content into synced notes, and create durable side effects from what may appear to be a simple lookup or bookmark action.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow fetches content from arbitrary external URLs, downloads/transcribes media, and uses outside services, yet does not clearly warn about privacy, bandwidth, copyright, and remote-data exposure implications. In practice, user-supplied links could cause unexpected downloads, transmission of content to third parties, or access to semi-private resources using local browser/session state.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The eval prompts define broad natural-language triggers like '收藏', '存一下', 'save', and recall-style requests without clearly constraining when the skill should activate versus when other skills or normal chat should handle the request. In an agentic system, overly broad activation examples can cause the skill to run on ambiguous user input, leading to unintended web fetching, local script execution, or file writes in response to benign conversation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The instruction to silently fall back to direct file writes removes transparency around a change in write mechanism and target path. Silent degradation is risky in a note-management context because users may believe content is being handled through the expected IPC/CLI path while the skill is actually writing directly into the vault filesystem, increasing the chance of unintended writes, sync conflicts, or policy bypass.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code reads credentials from --cookie-file or BILIBILI_COOKIE and transmits them in HTTP headers without any user-facing warning at runtime. That means an operator may unknowingly send live session cookies to remote endpoints, which can expand access beyond public data and create account privacy or session-handling risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script accesses sensitive browser cookies and also consumes ASR credentials from environment variables, but it provides no explicit warning, confirmation, or audit trail for that sensitive-data use. This is dangerous because users may unknowingly run the tool in a trusted environment where browser sessions or API secrets become available to helper processes and logs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.