上海落户公示查询 (Shanghai Luohu)

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public Shanghai settlement notice pages and may open the official results in a browser, with no evidence of credential access, persistence, exfiltration, or destructive behavior.

Install only if you are comfortable with a local script fetching public sh-italent.com pages and opening browser tabs automatically. Use --no-browser when you only want printed results, and treat the company/person query support as limited because the reviewed Python options are accepted but not actually used for filtering.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares execution of a Python script that performs network access and can invoke browser-opening behavior, yet no explicit permissions model is declared. This weakens user consent and platform enforcement because a seemingly simple lookup skill can reach external sites and trigger local actions without transparent authorization boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is a public-announcement query, but the skill also auto-launches a local browser and exposes behavior not cleanly reflected in the top-level description. This mismatch is dangerous because users and policy engines may approve the skill for simple lookup functionality while it performs additional local side effects and presents unsupported query capabilities.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill's stated purpose is to query and display Shanghai hukou public notice information, but it also performs a GUI side effect by launching Safari and opening multiple tabs. This is dangerous because it violates least surprise, can trigger unintended browser activity on the host, and expands the execution surface beyond simple data retrieval without obtaining user consent.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The Mac-specific AppleScript block is not necessary to fulfill the declared function of querying public notice data and introduces host GUI automation capabilities. Unnecessary automation is risky because it can be repurposed for broader local interaction patterns, reduces portability, and creates unexpected behavior on user machines.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Broad trigger phrases such as generic terms for hukou/public notices can cause the skill to activate on unrelated or only partially related user requests. Unintended activation can expose users to unexpected network requests and browser launches, especially because this skill has side effects beyond returning text.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger list includes ambiguous standalone phrases without strong disambiguation rules, increasing the chance of accidental invocation. In this skill, accidental invocation matters more because the workflow may execute code, contact external sites, and open a browser automatically.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The skill indicates that it may automatically open a browser, but does not present this as a clear user-facing warning or consent gate before execution. Automatic local application launch is a meaningful side effect that can surprise users, disrupt workflows, and normalize unsafe execution patterns for seemingly informational skills.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The script opens Safari and navigates to several URLs without prior confirmation or a clear up-front warning, which is an unsafe quality issue. While the destinations are hardcoded or parsed from the target site rather than attacker-controlled input in this script, the lack of consent can still surprise users and cause unwanted local side effects.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal