Bestcoffer Ai Redaction

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform BestCoffer document redaction, but it needs review because it uploads sensitive files and places credential-derived data in returned links and persistent logs.

Review before installing. Use this only if you are comfortable sending the selected document and redaction instructions to BestCoffer. Configure the API key through the platform secret/environment mechanism rather than pasting it into chat. Treat returned task URLs as sensitive because they include credential-derived material, and be aware that debug logs may persist local paths, instructions, and task links on disk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (22)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The mandatory rule says not to reply with '文件 ID、状态、日志', which indicates status information should not be exposed. But elsewhere the skill explicitly instructs the agent to return a query link so the user can check processing progress and status, creating a direct contradiction in documented intent.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: With no manifest available, the only defensible scope is the directly observable redaction workflow. The code creates log directories/files and records file names, file paths, sizes, instructions, and status messages to persistent locations under the user's home directory and temp directory, which is an additional capability beyond performing a redaction request.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill falls back to process environment variables for API credentials (`process.env.apiKey`, `API_KEY`, `OPENCLAW_SKILL_API_KEY`). For a skill with unknown declared purpose, accessing ambient secrets is a privileged capability that should be explicitly declared rather than silently used.

Context-Inappropriate Capability

High

Confidence: 90% confidence
Finding: After upload, the code encrypts the API key with a fixed key/IV and embeds the result as `k` in a website URL returned to the caller. Even if intended for convenience, generating shareable URLs that carry credential-derived material is a distinct capability beyond basic file redaction and should be explicitly justified and disclosed.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The manifest trigger list contains generic words such as “敏感信息”, “涂黑”, “脱敏”, “打码”, “屏蔽”, “遮盖”, and “黑掉”. These overlap with common conversational language and are not scoped by exclusions or contextual limits, increasing the chance of accidental activation outside the intended file-redaction use case.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill states that triggers "已全面覆盖全球高频自然对话" and "支持模糊匹配、中英混合", then lists many conversational examples including broad requests like "帮我处理这份本地文件". This makes it unclear when the skill should activate versus defer, and no negative examples or constraints are provided.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The markdown describes file upload, processing, and returned download links, but does not plainly warn users that their files and instructions will be transmitted to BestCoffer's service. Although it mentions encryption and security boundaries later, it omits an upfront disclosure about third-party/external processing and associated privacy implications.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The execution flow tells users to obtain an API key and then provide it, and the example dialogue explicitly asks the user to send the API key in chat. This is a sensitive credential handling behavior, but the markdown does not warn users that chat submission of API keys may expose secrets and that platform secret configuration is preferred.

Natural-Language Policy Violations

Low

Confidence: 90% confidence
Finding: The instructions require the agent to ask for and confirm redaction instructions using fixed Chinese phrases such as “确认执行”、“是的”、“脱敏吧”, and the examples are entirely in Chinese. There is no indication that users may choose another language, which creates a locale/language policy concern for a generally described skill.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill pulls credentials from process.env (apiKey/API_KEY/OPENCLAW_SKILL_API_KEY) and uses them to call an external service, but the code provides no docstring, comment, or explicit user disclosure that environment-stored secrets will be accessed. For code files, accessing sensitive environment variables without any visible warning or explanation is in scope when the action is not disclosed.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill creates a multipart form with the user-provided file and instruction, then sends it via HTTP POST to a remote API endpoint. Although there is logging, the logs are generic and do not clearly warn the user that local file contents are transmitted to a third-party service, which is the kind of disclosure expected for safety-relevant network transmission.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The code creates log directories and appends log entries to debug.log files under the user's home directory and temp directory. This is a file-write side effect, and while the code logs operational messages, it does not clearly disclose to the user that execution will persist artifacts on disk.

Natural-Language Policy Violations

Medium

Confidence: 96% confidence
Finding: Multiple natural-language strings returned to users, including error and status messages, are hard-coded in Chinese. The file does not indicate any locale selection, opt-in, or region-specific justification, so it appears to enforce a single language contrary to the stated policy.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The workflow tells the agent to obtain an API key from the user and continue after the user provides it, which is reinforced by the example conversation where the user pastes the key directly in chat. This is a natural-language data collection pattern for sensitive credentials, even though the file elsewhere says such secrets should be configured through platform mechanisms.

Ssd 3

High

Confidence: 97% confidence
Finding: The sample interaction normalizes requesting a secret from the user and having them reveal it directly in chat, then using it for processing. This is a clear natural-language instruction to collect sensitive authentication material from the user, creating credential exposure risk through conversational handling.

Hidden Instructions

High

Category: Prompt Injection
Content: --- name: bestcoffer-ai-redaction description: 一款专为个人用户设计的智能文件脱敏工具，强调纯个人独立模式。支持通过自然语言指令，脱敏用户上传的文件，对 PDF、Word、图片等多种格式的文件进行快速、精准、安全的隐私信息处理。处理完成后返回查询链接，可查看处理进度和下载结果 author: BestCoffer
Confidence: 60% confidence
Finding: Hidden instructions were detected in comments or invisible text. These could contain malicious directives. Manual review is recommended.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: "use strict";var __getOwnPropNames=Object.getOwnPropertyNames,__commonJS=(d,p)=>function(){return p||(0,d[__getOwnPropNames(d)[0]])((p={exports:{}}).exports,p),p.exports},require_delayed_stream=__commonJS({"node_modules/delayed-stream/lib/delayed_stream.js"(d,p){var i=require("stream").Stream,r=require("util");p.exports=c;function c(){this.source=null,this.dataSize=0,this.maxDataSize=1024*1024,this.pauseStream=!0,this._maxDataSizeExceeded=!1,this._released=!1,this._bufferedEvents=[]}r.inherits(c,i),c.create=function(s,n){var m=new this;n=n||{};for(var v in n)m[v]=n[v];m.source=s;var b=s.emit;return s.emit=function(){return m._handleEmit(arguments),b.apply(s,arguments)},s.on("error",function(){}),m.pauseStream&&s.pause(),m},Object.defineProperty(c.prototype,"readable",{configurable:!0,enumerable:!0,get:function(){return this.source.readable}}),c.prototype.setEncoding=function(){return this.source.setEncoding.apply(this.source,arguments)},c.prototype.resume=function(){this._released||this.release(),this.source.resume()},c.prototype.pause=function(){this.source.pause()},c.prototype.release=function(){this._released=!0,this._bufferedEvents.forEach(function(s){this.emit.apply(this,s)}.bind(this)),this._bufferedEvents=[]},c.prototype.pipe=function(){var s=i.prototype.pipe.apply(this,arguments);return this.resume(),s},c.prototype._handleEmit=function(s){if(this._released){this.emit.apply(this,s);return}s[0]==="data"&&(this.dataSize+=s[1].length,this._checkIfMaxDataSizeExceeded()),this._bufferedEvents.push(s)},c.prototype._checkIfMaxDataSizeExceeded=function(){if(!this._maxDataSizeExceeded&&!(this.dataSize<=this.maxDataSize)){this._maxDataSizeExceeded=!0;var s="DelayedStream#maxDataSize of "+this.maxDataSize+" bytes exceeded.";this.emit("error",new Error(s))}}}}),require_combined_stream=__commonJS({"node_modules/combined-stream/lib/combined_stream.js"(d,p){var i=require("util"),r=require("stream").Stream,c=require_delayed_stream();p.exports=s;function s(){this.writable=!1,t ...[truncated 28 chars]
Confidence: 95% confidence
Finding: rms+xml":{source:"iana",compressible:!0},"application/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: "use strict";var __getOwnPropNames=Object.getOwnPropertyNames,__commonJS=(d,p)=>function(){return p||(0,d[__getOwnPropNames(d)[0]])((p={exports:{}}).exports,p),p.exports},require_delayed_stream=__commonJS({"node_modules/delayed-stream/lib/delayed_stream.js"(d,p){var i=require("stream").Stream,r=require("util");p.exports=c;function c(){this.source=null,this.dataSize=0,this.maxDataSize=1024*1024,this.pauseStream=!0,this._maxDataSizeExceeded=!1,this._released=!1,this._bufferedEvents=[]}r.inherits(c,i),c.create=function(s,n){var m=new this;n=n||{};for(var v in n)m[v]=n[v];m.source=s;var b=s.emit;return s.emit=function(){return m._handleEmit(arguments),b.apply(s,arguments)},s.on("error",function(){}),m.pauseStream&&s.pause(),m},Object.defineProperty(c.prototype,"readable",{configurable:!0,enumerable:!0,get:function(){return this.source.readable}}),c.prototype.setEncoding=function(){return this.source.setEncoding.apply(this.source,arguments)},c.prototype.resume=function(){this._released||this.release(),this.source.resume()},c.prototype.pause=function(){this.source.pause()},c.prototype.release=function(){this._released=!0,this._bufferedEvents.forEach(function(s){this.emit.apply(this,s)}.bind(this)),this._bufferedEvents=[]},c.prototype.pipe=function(){var s=i.prototype.pipe.apply(this,arguments);return this.resume(),s},c.prototype._handleEmit=function(s){if(this._released){this.emit.apply(this,s);return}s[0]==="data"&&(this.dataSize+=s[1].length,this._checkIfMaxDataSizeExceeded()),this._bufferedEvents.push(s)},c.prototype._checkIfMaxDataSizeExceeded=function(){if(!this._maxDataSizeExceeded&&!(this.dataSize<=this.maxDataSize)){this._maxDataSizeExceeded=!0;var s="DelayedStream#maxDataSize of "+this.maxDataSize+" bytes exceeded.";this.emit("error",new Error(s))}}}}),require_combined_stream=__commonJS({"node_modules/combined-stream/lib/combined_stream.js"(d,p){var i=require("util"),r=require("stream").Stream,c=require_delayed_stream();p.exports=s;function s(){this.writable=!1,t ...[truncated 28 chars]
Confidence: 95% confidence
Finding: rms":{source:"iana",extensions:["rms"]},"application/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: "use strict";var __getOwnPropNames=Object.getOwnPropertyNames,__commonJS=(d,p)=>function(){return p||(0,d[__getOwnPropNames(d)[0]])((p={exports:{}}).exports,p),p.exports},require_delayed_stream=__commonJS({"node_modules/delayed-stream/lib/delayed_stream.js"(d,p){var i=require("stream").Stream,r=require("util");p.exports=c;function c(){this.source=null,this.dataSize=0,this.maxDataSize=1024*1024,this.pauseStream=!0,this._maxDataSizeExceeded=!1,this._released=!1,this._bufferedEvents=[]}r.inherits(c,i),c.create=function(s,n){var m=new this;n=n||{};for(var v in n)m[v]=n[v];m.source=s;var b=s.emit;return s.emit=function(){return m._handleEmit(arguments),b.apply(s,arguments)},s.on("error",function(){}),m.pauseStream&&s.pause(),m},Object.defineProperty(c.prototype,"readable",{configurable:!0,enumerable:!0,get:function(){return this.source.readable}}),c.prototype.setEncoding=function(){return this.source.setEncoding.apply(this.source,arguments)},c.prototype.resume=function(){this._released||this.release(),this.source.resume()},c.prototype.pause=function(){this.source.pause()},c.prototype.release=function(){this._released=!0,this._bufferedEvents.forEach(function(s){this.emit.apply(this,s)}.bind(this)),this._bufferedEvents=[]},c.prototype.pipe=function(){var s=i.prototype.pipe.apply(this,arguments);return this.resume(),s},c.prototype._handleEmit=function(s){if(this._released){this.emit.apply(this,s);return}s[0]==="data"&&(this.dataSize+=s[1].length,this._checkIfMaxDataSizeExceeded()),this._bufferedEvents.push(s)},c.prototype._checkIfMaxDataSizeExceeded=function(){if(!this._maxDataSizeExceeded&&!(this.dataSize<=this.maxDataSize)){this._maxDataSizeExceeded=!0;var s="DelayedStream#maxDataSize of "+this.maxDataSize+" bytes exceeded.";this.emit("error",new Error(s))}}}}),require_combined_stream=__commonJS({"node_modules/combined-stream/lib/combined_stream.js"(d,p){var i=require("util"),r=require("stream").Stream,c=require_delayed_stream();p.exports=s;function s(){this.writable=!1,t ...[truncated 28 chars]
Confidence: 95% confidence
Finding: rm"]},"application/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: "use strict";var __getOwnPropNames=Object.getOwnPropertyNames,__commonJS=(d,p)=>function(){return p||(0,d[__getOwnPropNames(d)[0]])((p={exports:{}}).exports,p),p.exports},require_delayed_stream=__commonJS({"node_modules/delayed-stream/lib/delayed_stream.js"(d,p){var i=require("stream").Stream,r=require("util");p.exports=c;function c(){this.source=null,this.dataSize=0,this.maxDataSize=1024*1024,this.pauseStream=!0,this._maxDataSizeExceeded=!1,this._released=!1,this._bufferedEvents=[]}r.inherits(c,i),c.create=function(s,n){var m=new this;n=n||{};for(var v in n)m[v]=n[v];m.source=s;var b=s.emit;return s.emit=function(){return m._handleEmit(arguments),b.apply(s,arguments)},s.on("error",function(){}),m.pauseStream&&s.pause(),m},Object.defineProperty(c.prototype,"readable",{configurable:!0,enumerable:!0,get:function(){return this.source.readable}}),c.prototype.setEncoding=function(){return this.source.setEncoding.apply(this.source,arguments)},c.prototype.resume=function(){this._released||this.release(),this.source.resume()},c.prototype.pause=function(){this.source.pause()},c.prototype.release=function(){this._released=!0,this._bufferedEvents.forEach(function(s){this.emit.apply(this,s)}.bind(this)),this._bufferedEvents=[]},c.prototype.pipe=function(){var s=i.prototype.pipe.apply(this,arguments);return this.resume(),s},c.prototype._handleEmit=function(s){if(this._released){this.emit.apply(this,s);return}s[0]==="data"&&(this.dataSize+=s[1].length,this._checkIfMaxDataSizeExceeded()),this._bufferedEvents.push(s)},c.prototype._checkIfMaxDataSizeExceeded=function(){if(!this._maxDataSizeExceeded&&!(this.dataSize<=this.maxDataSize)){this._maxDataSizeExceeded=!0;var s="DelayedStream#maxDataSize of "+this.maxDataSize+" bytes exceeded.";this.emit("error",new Error(s))}}}}),require_combined_stream=__commonJS({"node_modules/combined-stream/lib/combined_stream.js"(d,p){var i=require("util"),r=require("stream").Stream,c=require_delayed_stream();p.exports=s;function s(){this.writable=!1,t ...[truncated 28 chars]
Confidence: 95% confidence
Finding: rmvb"]},"application/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: "use strict";var __getOwnPropNames=Object.getOwnPropertyNames,__commonJS=(d,p)=>function(){return p||(0,d[__getOwnPropNames(d)[0]])((p={exports:{}}).exports,p),p.exports},require_delayed_stream=__commonJS({"node_modules/delayed-stream/lib/delayed_stream.js"(d,p){var i=require("stream").Stream,r=require("util");p.exports=c;function c(){this.source=null,this.dataSize=0,this.maxDataSize=1024*1024,this.pauseStream=!0,this._maxDataSizeExceeded=!1,this._released=!1,this._bufferedEvents=[]}r.inherits(c,i),c.create=function(s,n){var m=new this;n=n||{};for(var v in n)m[v]=n[v];m.source=s;var b=s.emit;return s.emit=function(){return m._handleEmit(arguments),b.apply(s,arguments)},s.on("error",function(){}),m.pauseStream&&s.pause(),m},Object.defineProperty(c.prototype,"readable",{configurable:!0,enumerable:!0,get:function(){return this.source.readable}}),c.prototype.setEncoding=function(){return this.source.setEncoding.apply(this.source,arguments)},c.prototype.resume=function(){this._released||this.release(),this.source.resume()},c.prototype.pause=function(){this.source.pause()},c.prototype.release=function(){this._released=!0,this._bufferedEvents.forEach(function(s){this.emit.apply(this,s)}.bind(this)),this._bufferedEvents=[]},c.prototype.pipe=function(){var s=i.prototype.pipe.apply(this,arguments);return this.resume(),s},c.prototype._handleEmit=function(s){if(this._released){this.emit.apply(this,s);return}s[0]==="data"&&(this.dataSize+=s[1].length,this._checkIfMaxDataSizeExceeded()),this._bufferedEvents.push(s)},c.prototype._checkIfMaxDataSizeExceeded=function(){if(!this._maxDataSizeExceeded&&!(this.dataSize<=this.maxDataSize)){this._maxDataSizeExceeded=!0;var s="DelayedStream#maxDataSize of "+this.maxDataSize+" bytes exceeded.";this.emit("error",new Error(s))}}}}),require_combined_stream=__commonJS({"node_modules/combined-stream/lib/combined_stream.js"(d,p){var i=require("util"),r=require("stream").Stream,c=require_delayed_stream();p.exports=s;function s(){this.writable=!1,t ...[truncated 28 chars]
Confidence: 95% confidence
Finding: rmi"]},"audio/mobile-xmf":{source:"iana",extensions:["mxmf"]},"audio/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: "use strict";var __getOwnPropNames=Object.getOwnPropertyNames,__commonJS=(d,p)=>function(){return p||(0,d[__getOwnPropNames(d)[0]])((p={exports:{}}).exports,p),p.exports},require_delayed_stream=__commonJS({"node_modules/delayed-stream/lib/delayed_stream.js"(d,p){var i=require("stream").Stream,r=require("util");p.exports=c;function c(){this.source=null,this.dataSize=0,this.maxDataSize=1024*1024,this.pauseStream=!0,this._maxDataSizeExceeded=!1,this._released=!1,this._bufferedEvents=[]}r.inherits(c,i),c.create=function(s,n){var m=new this;n=n||{};for(var v in n)m[v]=n[v];m.source=s;var b=s.emit;return s.emit=function(){return m._handleEmit(arguments),b.apply(s,arguments)},s.on("error",function(){}),m.pauseStream&&s.pause(),m},Object.defineProperty(c.prototype,"readable",{configurable:!0,enumerable:!0,get:function(){return this.source.readable}}),c.prototype.setEncoding=function(){return this.source.setEncoding.apply(this.source,arguments)},c.prototype.resume=function(){this._released||this.release(),this.source.resume()},c.prototype.pause=function(){this.source.pause()},c.prototype.release=function(){this._released=!0,this._bufferedEvents.forEach(function(s){this.emit.apply(this,s)}.bind(this)),this._bufferedEvents=[]},c.prototype.pipe=function(){var s=i.prototype.pipe.apply(this,arguments);return this.resume(),s},c.prototype._handleEmit=function(s){if(this._released){this.emit.apply(this,s);return}s[0]==="data"&&(this.dataSize+=s[1].length,this._checkIfMaxDataSizeExceeded()),this._bufferedEvents.push(s)},c.prototype._checkIfMaxDataSizeExceeded=function(){if(!this._maxDataSizeExceeded&&!(this.dataSize<=this.maxDataSize)){this._maxDataSizeExceeded=!0;var s="DelayedStream#maxDataSize of "+this.maxDataSize+" bytes exceeded.";this.emit("error",new Error(s))}}}}),require_combined_stream=__commonJS({"node_modules/combined-stream/lib/combined_stream.js"(d,p){var i=require("util"),r=require("stream").Stream,c=require_delayed_stream();p.exports=s;function s(){this.writable=!1,t ...[truncated 28 chars]
Confidence: 95% confidence
Finding: rmp"]},"audio/x-realaudio":{source:"nginx",extensions:["ra"]},"audio/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal