明日Dmp人群同步

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for legitimate DMP audience syncing, but it asks for sensitive API credentials in chat and uses broad cross-skill execution and logging behaviors that need review before installation.

Install only if you trust the publisher and the separate auth/logger skills. Do not paste AK/SK into chat; use a proper credential store or out-of-band secret setup. Review what the logger records, and prefer a version that pins the auth dependency to a verified path rather than scanning and executing discovered local scripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to install another skill via a shell command, extending behavior from audience-sync management into package installation. This increases the attack surface because a user invoking this skill may unexpectedly trigger code acquisition and installation of additional components with their own permissions and behaviors.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill adds persistent task-history recording through a separate logger skill, which is not necessary for the core audience sync function. Persisting extra data and introducing another installable component broadens the trust boundary and creates additional opportunities for sensitive information retention or misuse.

Context-Inappropriate Capability

Low

Confidence: 93% confidence
Finding: This code probes the local environment for the presence of an unrelated 'skill-logger' component by checking well-known directories under the user's home and /tmp. In a DMP audience-sync skill, this is unnecessary cross-skill inspection that leaks host-environment state and creates an unexpected dependency on another skill, expanding the trust boundary without user consent.

Description-Behavior Mismatch

Low

Confidence: 95% confidence
Finding: The script goes beyond its declared audience-sync purpose and enforces a separate task-logging workflow, including blocking normal result presentation until another skill is used or installed. This is dangerous because it can manipulate the agent's control flow, coerce users into installing unrelated software, and create unauthorized data propagation of task metadata to another component.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The script performs broad discovery across local skill directories and opens candidate files to inspect their contents, which exceeds the minimum access needed for a simple ad-account lookup. In a plugin environment, this expands the file-access surface and can be abused to enumerate installed skills, infer local environment details, or execute an attacker-planted lookalike auth script if one is discovered first.

Context-Inappropriate Capability

Low

Confidence: 95% confidence
Finding: The script searches multiple user-writable directories for a file named minri_dmp_api.py and then executes the first matching candidate after only a weak content check. An attacker who can place a malicious file in one of those locations can hijack execution and receive all forwarded API parameters, leading to arbitrary code execution in the user's context and possible credential or data theft.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger phrases for request classification are broad and may overlap with ordinary conversation, increasing the chance that the skill activates or enters a sensitive workflow unexpectedly. In this skill, accidental activation matters because later steps involve credential handling, local file checks, and potential shell-based installs.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The supported-function trigger wording is also broad, which can cause the agent to interpret casual user text as authorization to query accounts or manage sync tasks. Because the skill handles sensitive business operations and may request secrets, ambiguity in activation increases operational and privacy risk.

Missing User Warnings

Low

Confidence: 76% confidence
Finding: The script delegates privileged API activity to another local Python script discovered at runtime, but gives the user no meaningful notice that external code will be executed as part of a simple account-query action. Combined with the loose path-discovery logic, this creates a trust-boundary problem: a malicious or spoofed auth skill can run arbitrary code under the user's account.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill tells users to paste Access Key and Secret Key directly into chat and also references storing credentials in a local file. Requesting secrets through natural-language chat is dangerous because chat transcripts may be retained, logged, or exposed to other components, and these API credentials provide direct access to the DMP platform.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The workflow mandates automatic recording of task IDs, names, times, and parameter configurations to a persistent history file. Those parameters can include business-sensitive identifiers and possibly user-provided values, so mandatory retention increases the risk of later disclosure through filesystem access, logs, backups, or other skills.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal