Security audit

Omni Channel Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real market-research skill, but it uses under-scoped credential handling, mutates the runtime environment, and stores off-purpose adult or sensitive trend data.

Install only after review in a controlled environment. Use dedicated least-privilege API tokens, avoid running it on a personal shell profile, remove ~/.bashrc credential loading and runtime pip installation, and add strict source allowlists plus NSFW/off-topic filters before using its outputs for product or marketing decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (35)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: from pytrends.request import TrendReq except ImportError: print("[Google Trends] pytrends not installed, installing...") os.system("pip install pytrends --break-system-packages -q") from pytrends.request import TrendReq if keywords is None:
Confidence: 95% confidence
Finding: os.system("pip install pytrends --break-system-packages -q")

Tainted flow: 'req' from os.environ.get (line 106, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: req = urllib.request.Request(url, data=body, headers={"Content-Type": "application/json"}) try: with urllib.request.urlopen(req, timeout=timeout_secs + 30) as resp: items = json.loads(resp.read().decode()) print(f"[Apify] Got {len(items)} items (sync)") return items
Confidence: 91% confidence
Finding: with urllib.request.urlopen(req, timeout=timeout_secs + 30) as resp:

Tainted flow: 'url' from os.environ.get (line 111, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: f"&display_limit={limit}&export_columns=Ph,Po,Nq,Cp,Co,Kd,Tr,Tc,Ur" f"&domain={domain}&database={database}") try: resp = urllib.request.urlopen(url, timeout=20) text = resp.read().decode() if 'ERROR' in text[:100]: print(f"[SEO] Semrush error for {domain}: {text[:100]}")
Confidence: 97% confidence
Finding: resp = urllib.request.urlopen(url, timeout=20)

Tainted flow: 'req' from os.environ.get (line 136, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: "Notion-Version": "2022-06-28", "Content-Type": "application/json", }) with urllib.request.urlopen(req, timeout=15) as resp: result = json.loads(resp.read().decode()) bot_names = set()
Confidence: 89% confidence
Finding: with urllib.request.urlopen(req, timeout=15) as resp:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill declares broad capabilities in practice (environment variable access, local file read/write, network access, and shell execution) but does not explicitly declare permissions or warn users about them. That creates a transparency and consent gap: a user may invoke what looks like a research/reporting skill without realizing it can access secrets, call external services, and persist data locally.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The file goes beyond benign product-selection research and includes SEO targets for explicit or sexualized features such as clothing removal, breast expansion, jiggle/twerk, and related terms. In the context of an operations-facing selection agent, this broadens the skill into scouting risky adult/sexual AI capabilities, which can steer downstream teams toward unsafe or policy-violating product directions.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The dataset contains adult/sexualized capability scouting that is not justified by the agent's stated role, including terms for nudification/clothing removal and sexual body manipulation. That creates a concrete pathway for the skill to recommend or normalize high-risk features that can enable abuse, harassment, non-consensual sexualized edits, or policy evasion.

Context-Inappropriate Capability

High

Confidence: 93% confidence
Finding: The Reddit corpus includes clearly NSFW/sexual community content unrelated to omni-channel product research, such as explicit sexualized subreddit entries. Mixing this into trend intelligence increases the risk that the agent amplifies unsafe content, corrupts recommendations, or exposes internal users to inappropriate material without need or consent.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file materially exceeds the stated 'omni-channel product selection' purpose by harvesting broad AI dance/filter tutorials, influencer content, and unrelated cross-platform trend material. This kind of scope creep creates unnecessary data exposure, increases the chance of collecting irrelevant or problematic content, and weakens purpose limitation and downstream governance controls.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The dataset includes Reddit posts that are plainly unrelated to the skill's business purpose, including sexual/adult material. Collecting and storing such content without necessity creates avoidable compliance, safety, reputational, and moderation risk, especially if surfaced to users or reused in analytics pipelines.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The file content materially diverges from the declared skill purpose: instead of broad omni-channel product-selection research, it is dominated by AI makeup/cosplay trend aggregation and influencer tracking. This kind of scope drift is dangerous because downstream agents or operators may trust the manifest and unknowingly process irrelevant or sensitive trend data, causing misrouting, unsafe automation decisions, or policy bypass through mislabeled datasets.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The dataset includes Reddit entries that are clearly off-topic for product-selection research, including sexual content and unrelated communities. This is dangerous because unrelated or NSFW content can contaminate downstream ranking, summarization, or recommendation pipelines, create moderation/compliance exposure, and increase the chance that an agent surfaces harmful or embarrassing content in business workflows.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This SEO output includes explicit sexualized and adult-themed keywords such as clothing-removal and breast-focused terms, which materially expands the skill beyond ordinary product-selection research. In an omni-channel operations context, this can drive the agent to recommend or normalize high-risk NSFW features and marketing targets, creating policy, brand-safety, and abuse exposure.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file materially exceeds the declared purpose of an omni-channel product-selection agent by aggregating broad cross-platform trend intelligence from Instagram, YouTube, Reddit, and Google Trends on generic AI-filter topics. This expands collection scope without clear user need, increasing privacy, compliance, and mission-creep risk while creating a reusable surveillance-style dataset that could be repurposed beyond the stated workflow.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The creator profiles explicitly frame humans as inputs for downstream AI generation, face/cosplay transformation, and pose-tracking extraction rather than ordinary market research. In this skill context, that makes the dataset more dangerous because it enables imitation, biometric-style analysis, and model-training or avatar-generation use cases not justified by a product-selection agent.

Context-Inappropriate Capability

Low

Confidence: 81% confidence
Finding: Labels such as '虚荣触发' indicate the system is classifying content by psychological manipulation potential rather than neutral research value. While lower severity than direct data misuse, this nudges the skill toward exploitative engagement optimization and can facilitate manipulative campaign design inconsistent with the stated selection-research purpose.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The file includes clearly unrelated Reddit entries, including explicit sexual content, inside a dataset described as product selection and social/SEO/ad trend research. This creates a real data-scope and content-safety issue: downstream agents or users may surface, summarize, rank, or act on irrelevant NSFW material, leading to unsafe outputs, policy violations, and corrupted business insights.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file materially diverges from the skill’s declared purpose and instead contains broad social-intelligence collection about AI makeup/cosplay trends across multiple platforms. In an agent setting, this kind of scope drift is dangerous because it can silently cause collection, retention, and downstream use of data unrelated to the user’s task, increasing privacy/compliance exposure and making operator review less reliable.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The Reddit collection includes clearly irrelevant and NSFW sexual content, which is not justified by the skill’s stated business purpose. This is dangerous because unrelated sensitive/adult content can contaminate downstream analytics, expose users or systems to policy and workplace-safety violations, and indicate the crawler or filter logic is insufficiently bounded.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The Google Trends section tracks broad generic AI-photo/filter/generator queries that are not clearly necessary for omni-channel product selection, SEO research, or competitor ad analysis. Over-collection of weakly related trend data can mislead downstream decisions, expand data handling scope without justification, and mask whether the skill is acting according to user intent.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The skill reads secrets from the user's ~/.bashrc and imports them into the process environment, which exceeds the minimally necessary behavior for a pipeline runner and accesses a sensitive user file without explicit consent. This expands the skill's access to credentials that may be unrelated to this task and makes secret exposure more likely through child processes, logs, crashes, or future code changes.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script proactively opens and parses the user's ~/.bashrc to extract API tokens into its own process environment. For an analytics/research skill, directly reading shell startup files is not necessary when standard environment variables or explicit configuration inputs would suffice, and it expands access to sensitive secrets beyond the least-privilege expected by the skill.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script proactively opens the user's ~/.bashrc and imports multiple API secrets into its own environment without explicit consent, disclosure, or a demonstrated need limited to this file's core orchestration role. This creates unnecessary secret exposure and broadens the blast radius if downstream modules log, exfiltrate, or misuse those credentials.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Installing a Python package at runtime is not necessary for the stated trend-research purpose and causes the skill to alter the execution environment as a side effect. In this context, that broadens the skill's capabilities beyond data retrieval and introduces dependency trust and supply-chain exposure without explicit operator approval.

Context-Inappropriate Capability

Low

Confidence: 77% confidence
Finding: The code extracts and retains Reddit author identifiers even though the stated purpose is trend discovery, not user profiling. Collecting unnecessary identifiers increases privacy exposure and can enable downstream correlation or profiling if the data is stored, shared, or reused beyond the immediate analysis task.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal