Utf8 Encoder

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real UTF-8 publishing helper, but it embeds live-looking Discord/GitHub credentials and can publish or persist content with too little user control.

Review before installing. Do not run the integration test or publishing commands until the embedded Discord webhook and GitHub token are removed and revoked, credential logging is redacted, and external publishing plus local backups require clear opt-in confirmation. Treat any file passed to the publishing workflow as content that may be sent to Discord/GitHub or written to disk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill declares no permissions beyond a Bash tool, yet the documented behavior relies on environment variables such as DISCORD_WEBHOOK and GITHUB_TOKEN. This creates a capability/permission mismatch that can cause users or higher-level systems to underestimate the skill's access to sensitive credentials and outbound publishing actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The skill is described as an encoding/publishing infrastructure, but the documentation expands it into general-purpose cross-platform publishing, direct network transmission, local file backup, and token-driven API interactions. This description-behavior mismatch is dangerous because operators may enable or trust it for narrow encoding support while it actually performs broader data exfiltration and persistence-capable actions.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The document frames the skill as encoding infrastructure, but its examples and claims include multi-platform publishing orchestration, retries, failover, monitoring, alerting, and local backups. This scope expansion increases risk because users may not realize the skill can move content across services and persist copies locally, broadening the attack surface beyond text encoding.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill documentation instructs use of environment-stored platform credentials for Discord and GitHub, even though such access is not obviously required for mere UTF-8 processing. In context, this expands the trust boundary from local text handling to privileged account operations, enabling unauthorized posting or data exposure if the skill is over-trusted.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: This file performs real outbound actions to Discord and GitHub despite being presented as a UTF-8 publishing/encoding utility. That broadens the skill’s capabilities from encoding support into external content publication, which can cause unauthorized data transmission, spam, or use of third-party accounts during testing.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: The script contains hardcoded fallback live credentials for a Discord webhook and a GitHub personal access token. Embedded secrets are highly dangerous because anyone with access to the code can reuse them to post externally, access associated resources, and persist abuse beyond the intended test flow.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The code comments claim configuration comes from environment variables, but the implementation silently falls back to active hardcoded credentials. This is deceptive and dangerous because it defeats operator expectations and can trigger real external access even when a user believes no credentials are configured.

Description-Behavior Mismatch

Low

Confidence: 91% confidence
Finding: The code silently writes content to a local backup file when GitHub publication fails, but this persistence behavior is not disclosed in the skill description. That creates a confidentiality risk because sensitive release content, secrets, or internal text may be left on disk unexpectedly where other local users, processes, or backups can access it.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Automatic local file persistence is not necessary to perform UTF-8 encoding or network publishing and can expose the content beyond the user's expectations. In a release/publishing context, failed outbound content may include unpublished material or credentials embedded in text, so writing it to disk creates avoidable data-retention and leakage risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document promotes automatic multi-platform publishing and local backup behavior without prominent warnings that content may be transmitted to external services or written to disk. In a skill intended to run as infrastructure, lack of explicit disclosure increases the chance of unintended data leakage, especially when users may assume it only normalizes encoding.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script creates a real GitHub Gist through an API call and does not provide sufficiently explicit, informed consent before writing to an account. In this file’s context, the risk is amplified because a hardcoded token may cause writes to a third-party account rather than the operator’s own account.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The fallback persists content to a local file without any explicit warning, which can surprise users and leave sensitive material on disk. This is especially risky in automation or shared environments where generated backup files may be indexed, synced, or read by other users and tools.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: The comments explicitly recommend suppressing reporting of automatic processing details to the user, which undermines transparency around data handling. While the hidden action here is encoding-related rather than overtly malicious, this pattern is dangerous because it normalizes undisclosed behavior and can conceal materially important processing or side effects in future changes.

VirusTotal

No VirusTotal findings

View on VirusTotal