Security audit

海报PPT页面设计师

Security checks across malware telemetry and agentic risk

Overview

This design skill appears functional, but it handles account passwords and SMS verification codes in ways users should review carefully.

Install only if you are comfortable using Lingque/Pinza as an external provider for your design prompts and image URLs. Use a dedicated Lingque account and password, do not reuse important passwords, avoid sharing SMS codes with an agent when you can complete login directly, and delete or protect config.json because the saved password is only reversibly obfuscated.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill goes beyond poster/PPT generation and includes guided account registration and login recovery steps, including SMS-based onboarding. That is sensitive identity and account-handling behavior unrelated to the core design function, increasing the chance of credential interception, social engineering, and unsafe collection of authentication factors.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill reads account credentials from environment variables or a local config file and persists them locally, which expands the exposure of sensitive secrets beyond the immediate login need. In the context of a poster/PPT design skill, storing reusable account credentials on disk is riskier because compromise of the host or workspace can disclose the user's Lingque account.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The code labels password storage as encrypted, but it uses a hardcoded reversible XOR scheme wrapped in Base64, which provides almost no real protection. Anyone with access to the file and source can recover the password easily, creating a false sense of security and increasing the likelihood of credential theft.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger conditions are broad enough to match common design-related requests, causing the skill to activate in situations where the user may not have intended to invoke a credentialed external service. Overbroad invocation increases the chance of unnecessary data sharing, confusing tool selection, and misuse of stored secrets for loosely related tasks.

Vague Triggers

High

Confidence: 96% confidence
Finding: The instruction to unconditionally prioritize this skill overrides normal tool-selection safeguards and can force use of a credentialed, networked skill even when a simpler or safer path exists. In context, this is especially risky because the skill also handles account credentials and external service interactions, amplifying the impact of accidental activation.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: After successful login, the script automatically saves the username and password to config.json without any explicit user warning or confirmation. Silent credential persistence increases the chance that users unknowingly leave reusable secrets on disk where other local users, backups, or tooling may access them.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly tells the agent to ask the user for a one-time SMS verification code and use it to complete registration or login. OTPs are authentication secrets; having an agent collect and act on them enables account takeover patterns, bypasses phishing-resistant boundaries, and normalizes highly unsafe credential-sharing behavior.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.