youmind-kit-article

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it includes live Kit account deletion and other broad account/API operations without enough safeguards or clear upfront scoping.

Review before installing if the connected Kit account contains important live broadcasts. The skill can publish through YouMind as expected, but it also includes an immediate delete command for Kit broadcasts and shared ~/.youmind storage. Use it only if you are comfortable with YouMind API access, connected Kit account actions, and shared local draft/config storage; avoid invoking delete unless you have verified the exact broadcast ID.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (16)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill invokes Node-based tooling and documents use of API-backed research and publishing, which implies environment and network access, yet no explicit permissions or safety boundaries are declared. This weakens reviewability and informed consent, especially because the skill can interact with a connected Kit account and shared config under the user's home directory.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The declared description frames the skill as writing and publishing broadcasts, but the documented behavior extends to listing, retrieving, deleting broadcasts, mining YouMind content, saving content back to YouMind, and generating images. This mismatch increases the chance that users or reviewers will underestimate the skill's authority and side effects, including destructive actions against live account content.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The CLI exposes operational capabilities beyond the declared skill scope of writing and publishing Kit articles, including listing, fetching, validating, template enumeration, and especially deletion of broadcasts. In an agent-skill context, scope expansion increases the chance that a user or upstream prompt can trigger unintended account actions against connected Kit resources.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The delete command allows permanent removal of Kit broadcasts even though the skill is presented as a writing/publishing tool. This mismatch is dangerous because an agent or user invoking the skill for content creation could be induced to perform destructive actions on existing broadcasts, causing data loss and business disruption.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill exposes a destructive delete capability for Kit broadcasts, but the manifest only describes writing and publishing articles. This creates a scope mismatch: an agent or user may invoke the skill believing it only creates content, while the hidden API surface also permits remote deletion of existing broadcasts.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: This file for a Kit article-writing/publishing skill exposes a chat-based image-generation capability that is unrelated to the declared workflow. In a manifest-scoped skill, extra capabilities increase the attack surface and can be invoked to send arbitrary prompts to a remote API, creating undeclared data flows and functionality outside user expectations.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The helper exposes broad board, material, craft, and document-save operations beyond the stated Kit broadcast use case. Even though these are legitimate API wrappers, bundling unnecessary write/read primitives into a skill-scoped client violates least privilege and makes unintended data access or modification more likely if the skill is misused or prompt-injected.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README states that the default publishing mode is web-public and mentions using `--private` only as an alternative, but it does not prominently warn that running publish without flags may expose content publicly. In a skill whose purpose is generating and publishing newsletter content, unclear defaults can easily lead to unintended disclosure of drafts, sensitive business updates, or internal information.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README states that publishing defaults to a public web feed, but the warning is easy to miss given that the skill's purpose is to write and publish content automatically. In this context, users may unintentionally expose drafts, internal announcements, or sensitive newsletter content externally, making this a real safety issue even though it is documentation-related rather than code-execution-related.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The trigger phrases are broad enough to match generic requests about Kit, newsletters, or publishing, which can cause the skill to activate in situations the user did not intend. Because the skill supports account-connected publishing and other side-effecting operations, overbroad routing raises the risk of unintended execution paths.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill prominently advertises one-click publishing to a connected Kit account without an equally prominent warning that it can modify live external content. In a skill with network access and connected-account actions, insufficient upfront warning can lead to user surprise and accidental publication.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The delete command executes immediately on a supplied ID and provides no confirmation, warning, or secondary verification before performing an irreversible operation. In an automation or agent setting, this makes accidental or prompt-induced destructive actions much more likely, especially when IDs can be guessed, copied, or mis-specified.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The deleteBroadcast function performs a destructive remote deletion with no built-in confirmation, safeguard, or friction. In an agent context, accidental invocation, prompt injection, or tool misuse could irreversibly remove published content from the connected Kit account.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The save-article path reads a local file and uploads its contents to the remote YouMind API without any built-in user-facing confirmation or disclosure in this code path. In the context of a writing/publishing skill, users may expect publication to Kit, but not necessarily archival of full article content to a separate remote knowledge service, so this can cause unintended data exfiltration of sensitive drafts.

Missing User Warnings

Low

Confidence: 74% confidence
Finding: The image-generation flow sends user prompt text to a remote chat/agent API without explicit disclosure in this module. Because the capability is unrelated to the stated Kit article skill, this hidden prompt transmission is more suspicious and can expose sensitive user input to an external service outside the expected task scope.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Draft Location Rule **Canonical:** write local article Markdown files to `~/.youmind/articles/kit/<slug>.md`. This shared home directory is available to all YouMind skills — see [`shared/YOUMIND_HOME.md`](shared/YOUMIND_HOME.md). **Legacy fallback** (if `~/.youmind/` is not writable): `skills/youmind-kit-article/output/<slug>.md`.
Confidence: 90% confidence
Finding: write local article Markdown files to `~/.youmind/articles/kit/<slug>.md`. This shared home directory is available to all YouMind skills — see [`shared/YOUMIND_HOME.md`](shared/YOUMIND_HOME.md). **Le

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal