明日Dmp人群圈选

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real DMP audience-management tool, but it needs review because it can install and run helper skills while creating business audience data using API credentials.

Install only if you trust the publisher, the Mingri DMP auth skill, and the optional logger skill. Before using it, confirm exactly which helper skill path will be executed, avoid running it in workspaces where untrusted skills can be placed, and be aware that API credentials and audience/task parameters may be stored locally or by the logger.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (31)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: sys.exit(3) try: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True,
Confidence: 90% confidence
Finding: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True, timeout=

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 调用鉴权技能的API脚本 try: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True,
Confidence: 88% confidence
Finding: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True, timeout=

subprocess module call

Medium

Category: Dangerous Code Execution
Content: sys.exit(3) try: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True,
Confidence: 82% confidence
Finding: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True, timeout=

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 调用鉴权技能的API脚本 try: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True,
Confidence: 92% confidence
Finding: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True, timeout=

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 调用鉴权技能的API脚本 try: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True,
Confidence: 92% confidence
Finding: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True, timeout=

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 调用鉴权技能的API脚本 try: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True,
Confidence: 93% confidence
Finding: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True, timeout=

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 调用鉴权技能的API脚本（新格式：包含method参数） try: result = subprocess.run( ["python3", str(auth_skill_path), method, endpoint, json.dumps(request_body)], capture_output=True, text=True,
Confidence: 88% confidence
Finding: result = subprocess.run( ["python3", str(auth_skill_path), method, endpoint, json.dumps(request_body)], capture_output=True, text=True, timeout=

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 调用鉴权技能的API脚本 try: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True,
Confidence: 92% confidence
Finding: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True, timeout=

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 调用鉴权技能的API脚本 try: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True,
Confidence: 90% confidence
Finding: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True, timeout=

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 调用鉴权技能的API脚本（新格式：包含method参数） try: result = subprocess.run( ["python3", str(auth_skill_path), method, endpoint, json.dumps(request_body)], capture_output=True, text=True,
Confidence: 93% confidence
Finding: result = subprocess.run( ["python3", str(auth_skill_path), method, endpoint, json.dumps(request_body)], capture_output=True, text=True, timeout=

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 调用鉴权技能的API脚本（新格式：包含method参数） try: result = subprocess.run( ["python3", str(auth_skill_path), method, endpoint, json.dumps(request_body)], capture_output=True, text=True,
Confidence: 89% confidence
Finding: result = subprocess.run( ["python3", str(auth_skill_path), method, endpoint, json.dumps(request_body)], capture_output=True, text=True, timeout=

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to execute a terminal command that installs another skill from an external source as part of normal operation. This expands the trust boundary and enables unreviewed code or prompts to be introduced into the environment, which is not strictly necessary for the core audience-selection function.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill mandates checking for and potentially installing a separate logging skill, then using it to persist task history and parameters. This adds a secondary capability unrelated to the primary function and increases the risk of sensitive business inputs being stored or exposed through another component.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documented purpose is creating ad-behavior audiences, but the code performs broad filesystem scanning to discover and trust another skill implementation. That cross-skill discovery mechanism expands the attack surface substantially: an attacker can place a lookalike script in one of the searched directories and have it executed, leading to unintended code execution and possible credential or data theft.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill gains a general external code-execution capability by launching another Python interpreter and script instead of using a constrained internal API. In this context, that is dangerous because the executed target is discovered dynamically and receives request contents, making the audience-creation workflow dependent on untrusted executable content.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The docstring claims the function only uses a standard installation path, but the implementation also searches alternate locations and dynamically scans directories for matching scripts. This mismatch can mislead reviewers and operators into trusting the lookup behavior, while the actual logic expands the attack surface for planting a malicious auth helper.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The documentation claims the function only uses a standard install path and avoids platform-specific paths, but the implementation also searches workspace, current-directory, and dynamically scanned locations. This mismatch can mislead reviewers and users into trusting path resolution that is actually much broader, increasing the chance that an untrusted helper script is executed.

Intent-Code Divergence

Medium

Confidence: 76% confidence
Finding: The docstring asserts a constrained, standard-path lookup model, but the implementation also searches alternate locations and dynamically scans directories for a matching script. This mismatch can mislead reviewers and users about the trust boundary, hiding the fact that executable code may be loaded from broader, less trusted locations.

Intent-Code Divergence

Medium

Confidence: 81% confidence
Finding: The docstring states that only a standard install path is used, but the implementation also checks several alternate locations and performs dynamic directory scanning. This mismatch is security-relevant because reviewers and users may believe path resolution is tightly constrained when it is not, increasing the chance that the subprocess executes an unexpected script from a less trusted location.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The docstring states the function only checks a standard installation path, but the implementation also probes multiple alternate locations and performs dynamic scanning. This mismatch can mislead reviewers and users into believing execution is constrained when it is not, increasing the chance that unsafe path-resolution behavior goes unnoticed.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The docstring claims the function only searches a standard installation path, but the implementation also searches alternate locations and performs dynamic scanning. This discrepancy hides security-relevant behavior: reviewers or operators may assume a tight trust boundary when the code actually accepts helper code from several locations, increasing the chance that malicious or tampered scripts are executed unnoticed.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The comment says the standard installation path is the only correct lookup location, yet the code probes multiple other paths and dynamically discovers candidate scripts. Misleading comments around trust boundaries are dangerous because they can conceal broad executable search behavior that materially affects security and can enable execution of attacker-planted code.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The documented claim that only a standard install path is used is contradicted by code that searches platform-specific paths, the current working directory, and dynamically scans directories for a file whose contents merely contain identifying strings. This mismatch hides a trust-boundary expansion that makes dependency hijacking easier, because a malicious local skill directory or working-directory artifact can be selected and executed as the auth component.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The creation triggers are broad enough to match common language about labels, conditions, or behaviors, which can cause the skill to activate unexpectedly. In a skill that can collect credentials and initiate installations or API actions, ambiguous invocation materially increases the chance of unintended sensitive operations.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Keywords like location-, travel-, or similarity-related everyday phrases are too generic and can collide with ordinary conversation. Because the skill couples intent matching with multi-step operational flows, false activations could lead to unnecessary credential prompts, data collection, or attempts to install auxiliary skills.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal