Wei Cross Research

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed multi-model research skill that sends queries to configured LLM providers and saves local result files, with privacy considerations but no artifact-backed deception or unsafe behavior.

Install only if you are comfortable sending each research query to the configured external LLM providers and paying for multiple model calls. Do not submit secrets, regulated data, or confidential business information unless those providers are approved for that data, and delete files under reports/ and intermediate/ when they contain sensitive content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Description-Behavior Mismatch

Low

Confidence: 78% confidence
Finding: The skill's primary description emphasizes cross-validation, but the documentation also states that raw model outputs and synthesized results are persisted to local report and intermediate files. This creates a data-retention surface that may unexpectedly store sensitive prompts, provider outputs, or regulated data on disk beyond the immediate task execution.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The agent writes model responses and later the synthesized report to durable local files, which can capture sensitive user queries and generated content outside the immediate execution flow. For a research skill, this persistence is not essential to answering the query and increases the risk of unintended disclosure through local file access, backups, or later artifact collection.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The saveModelResponses, saveIntermediate, and saveReport functions implement durable logging of model outputs, judge output, and the full query to disk. This expands the data exposure surface beyond the stated cross-validation purpose and can leak private or regulated information if local artifacts are read by other users, processes, or support tooling.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly tells users to store live API keys in a `.env` file but does not warn them to keep that file out of version control, avoid sharing it, or use secret-management practices. This can lead to accidental credential disclosure through Git commits, screenshots, support bundles, or copied example files, especially because the skill requires multiple third-party LLM provider keys.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README tells users to store API keys in environment variables and in a local `.env` file, but it does not warn that these credentials are sensitive, should never be committed, and should be excluded from logs, screenshots, and version control. In a developer-facing setup guide, that omission materially increases the chance of accidental secret exposure through Git commits or shared project files.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The configuration hard-codes "region": "cn", which can route prompts and outputs through a China-region deployment without any explicit user selection or documented consent. For a cross-research skill that may handle sensitive or high-stakes queries, this increases data residency, compliance, and privacy risk because users may unknowingly send content to a jurisdiction with different legal and operational controls.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The callModel path sends user queries and, during judging, model-derived summaries to external providers such as Bailian, OpenRouter, and OpenAI-compatible endpoints. Without an explicit disclosure/consent mechanism in the skill flow, users may unknowingly transmit sensitive content to third parties with separate retention and training policies.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill writes research queries, model outputs, and judge synthesis to local report and intermediate files without notifying the user. Silent persistence of potentially sensitive research topics or embedded secrets creates a confidentiality risk even if the files remain on the same host.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The exported research API transmits user queries to external LLM providers, but the interface does not clearly disclose that sensitive prompts may leave the local environment. In a research skill, users may submit proprietary, regulated, or personal data under the assumption of local processing, creating a real privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This custom-client path accepts provider credentials and immediately uses them to send user prompts to external services without explicit disclosure at the API boundary. Because the skill is specifically designed to fan queries out to multiple models, the privacy exposure is amplified: one input may be replicated across providers, increasing data-sharing and compliance risk.

Ssd 3

Medium

Confidence: 82% confidence
Finding: The code path around research execution is tied to later plain-text persistence of both user query content and model-derived content, with no sensitivity classification or filtering. This can expose secrets, personal data, or proprietary research material in logs and artifacts that are easier to access or exfiltrate than the live process memory.

Ssd 3

Medium

Confidence: 93% confidence
Finding: saveReport records the full user query and the raw judge synthesis into a report file, which may reproduce sensitive user-supplied information and inferred conclusions verbatim. Because the report is durable and human-readable, any compromise of the host or shared workspace can reveal the complete research request and synthesized output.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal