Security audit

MemoleCard-zh

Security checks across malware telemetry and agentic risk

Overview

This skill mostly automates card generation, but its fallback download path can send live browser cookies to a configurable server.

Review before installing. Only run this with a trusted backup server value and a non-sensitive browser session; safer use would remove the cookie-forwarding fallback or restrict it to a verified first-party endpoint with explicit consent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 98% confidence
Finding: The fallback path sends the browser session cookies to a configurable server URL supplied via a template variable, which can exfiltrate authenticated session data to an arbitrary host. In this skill context, the danger is increased because the code explicitly harvests live cookies from the browser session and forwards them off-origin without any visible consent, making account compromise or unauthorized API access possible.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal