Security audit

Pinterest Search

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a Pinterest search tool, but it contains explicit anti-analysis comments while handling cookies, proxies, downloads, and local files.

Install only after review. Do not provide a Pinterest cookie unless authenticated search is necessary, avoid untrusted proxies, run it from a constrained project directory, and clear result/image caches when privacy matters. The anti-analysis comments and broad downloader should be fixed before treating this as a low-risk skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script accepts an arbitrary --output path and writes search results there via path.resolve(outputDir) and fs.writeFileSync. In an agent setting, this broadens the skill from 'search Pinterest' into unrestricted local file writing, which can overwrite or place files in sensitive locations if an attacker can influence arguments or task construction.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The comment explicitly states the global environment-variable handling is intended to 'break static analysis taint tracking' rather than serve a legitimate functional purpose. Deliberately designing code to evade security tooling is a strong indicator of malicious or deceptive intent because it hides risky data flows from review and can conceal abuse of proxies or other sensitive configuration.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: This comment says serialization/deserialization is used specifically to interrupt taint tracking, not for necessary data processing. Such anti-analysis behavior is dangerous because it intentionally obscures how untrusted file content flows through the program, making it harder to detect injection, unsafe parsing, or future exploitation paths.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The helper downloads any URL passed to it and forwards the request with optional proxy support, making it a general-purpose outbound fetch primitive rather than a Pinterest-scoped image cache. In a Pinterest search skill, this broad network access increases SSRF-style abuse risk, unintended access to internal services, and collection of third-party content unrelated to the declared skill purpose.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger text is broad enough to catch generic requests for visual inspiration even when the user did not explicitly ask for Pinterest. Overbroad triggering can cause unintended skill activation, which is more concerning here because the skill performs network access and local persistence, not just passive retrieval.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation says results are automatically saved, cached, and optionally downloaded, but it does not prominently warn that the skill writes persistent local files and may retain data over time. This can create privacy, disk usage, and forensic exposure risks, especially when queries or downloaded content are sensitive.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code sends a raw Pinterest session cookie in outbound HTTP headers, enabling authenticated requests tied to the operator's account. In an agent/skill context this is risky because users may not realize their session data is being transmitted to a third-party service on their behalf, which can expose account context, personalized data access, or compliance issues.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: The comments openly describe evading static analysis tools. In security review, intent to bypass detection materially increases risk because it suggests the author is attempting to conceal behaviors that would otherwise be flagged, undermining trust in the entire skill.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: The comment explicitly frames serialization as a taint-tracking bypass. This is not merely poor style; it is an attempt to reduce the effectiveness of security tooling and code review, which can mask dangerous handling of untrusted input and indicates adversarial intent in the implementation.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal