Security audit

Shwuyeyanjiu

Security checks across malware telemetry and agentic risk

Overview

This skill appears to fetch public Shanghai property announcement PDFs, OCR them locally, and calculate project details, with local-file hygiene issues users should notice.

Install only if you are comfortable with the skill downloading public PDFs from the Shanghai property site, storing temporary PDFs locally, and running OCR. Before running the batch scripts, change the hard-coded CSV output path to a directory you control and clean up /tmp PDFs afterward.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill demonstrates network access, local file writes, and file reads via requests, curl, OCR on /tmp files, but does not declare any permissions or warn operators about those capabilities. Undeclared capabilities undermine least-privilege controls and user consent, making it easier for the skill to perform side effects that exceed what a caller expects.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The documented behavior goes beyond the stated purpose of ad hoc project lookup and fee calculation, including broader batch analysis, contract-expiry inference, CSV export, and processing of existing local PDFs. This mismatch is dangerous because reviewers and users may authorize the skill for a narrow research task while it actually performs broader collection, retention, and analysis operations.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The script writes output to a hard-coded, user-specific absolute path under /Users/yujunwang, which can leak data into an unintended location, fail unpredictably on other systems, or overwrite files in a specific local workspace without operator confirmation. In an agent setting, fixed filesystem writes outside a controlled working directory weaken isolation and make data handling less transparent.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The trigger conditions are broad and fuzzy, such as activating on generic mentions like '上海物业' or '物业费', which increases the chance of accidental invocation. In an agent setting, overbroad triggering can cause unintended network access, local file creation, and data processing in conversations where the user did not actually request those actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs downloading remote PDFs and writing them to /tmp, then running OCR, but does not clearly disclose these side effects in a permissions or safety section. Hidden network and local-write behavior increases the chance of unexpected data transfer, storage of untrusted content, and processing of files without informed approval.

Missing User Warnings

Medium

Confidence: 73% confidence
Finding: The script silently writes downloaded PDFs to /tmp and later writes a CSV report to a fixed filesystem path without user notice or consent. Even though the source data appears public, undisclosed local persistence can create privacy, disk-usage, and forensic risks, especially in shared or multi-tenant environments where temporary files may be accessible or linger longer than expected.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal