Autoglm Deepresearch

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AutoGLM research helper that sends search queries and selected URLs to documented APIs and uses a documented local token service, with no evidence of hidden persistence or destructive behavior.

Install only if you are comfortable with research topics, search terms, and opened URLs being sent to AutoGLM and with the skill using the local token service at 127.0.0.1:53699 for authorization. Avoid confidential or internal URLs unless that data sharing is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 80% confidence
Finding: The skill clearly instructs use of networked scripts and automatic token retrieval from a local HTTP service, yet no permissions or equivalent disclosure are declared. This creates a trust and audit gap: a user or platform may invoke the skill without realizing it performs outbound requests and accesses local services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The documented behavior goes beyond benign research orchestration by including remote API calls, localhost token retrieval, and hardcoded signing material, while not actually implementing the promised deep-research logic in this file. This mismatch is dangerous because users may consent to a research helper but actually enable credentialed network operations and data transmission they did not reasonably expect.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill states it will automatically fetch a token from a localhost service and send requests to external APIs, but it does not provide an adequate privacy warning or consent model. In context, this increases risk because user research topics may contain sensitive business, personal, or proprietary information that would be transmitted off-device without clear notice.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script automatically retrieves a bearer token from a local service and sends a user-supplied URL to a remote API, but provides no user-facing notice, consent step, or validation around what data is being transmitted. In a deep-research skill, URLs may contain sensitive query parameters, internal addresses, or user-specific resources, so silent forwarding to external/local services creates a meaningful privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script silently retrieves a bearer token from a local HTTP service on 127.0.0.1 and automatically uses it for outbound authentication. Even though loopback access is local-only, this creates implicit trust in another process without verification or user awareness; if that service is malicious, spoofed, or compromised, the script may consume attacker-controlled credentials or unexpectedly leverage sensitive local auth context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal