Back to skill

Security audit

Star Search

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real search tool, but it bundles credentials, account/payment logic, image upload, persistence, and server-ops guidance that is broader and less tightly scoped than a normal search skill.

Install only if you trust this publisher to operate a full search web service, not just a lightweight MCP search wrapper. Review and restrict any LLM_API_KEY, LLM_BASE_URL, Cloudflare token, server deployment, OCR upload, account, and payment configuration before use; avoid running the deployment/root scripts or exposing the HTTP/SSE server unless you intend to administer the whole service. The clean VirusTotal result lowers malware concern, but it does not resolve the artifact-backed scoping and credential-handling issues.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (72)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""通过 Camofox + 百度搜索"""
    
    # 1. 创建 tab
    tab_resp = subprocess.run([
        'curl', '-s', '-X', 'POST', 
        f'{camofox_url}/tabs',
        '-H', 'Content-Type: application/json',
Confidence
92% confidence
Finding
tab_resp = subprocess.run([ 'curl', '-s', '-X', 'POST', f'{camofox_url}/tabs', '-H', 'Content-Type: application/json', '-d', json.dumps({ "userId": "st

subprocess module call

Medium
Category
Dangerous Code Execution
Content
time.sleep(3)
    
    # 3. 获取 snapshot
    snap_resp = subprocess.run([
        'curl', '-s', 
        f'{camofox_url}/tabs/{tab_id}/snapshot',
        '-G', '--data-urlencode', 'userId=star-search'
Confidence
94% confidence
Finding
snap_resp = subprocess.run([ 'curl', '-s', f'{camofox_url}/tabs/{tab_id}/snapshot', '-G', '--data-urlencode', 'userId=star-search' ], capture_output=True, text=True, t

Tainted flow: 'req' from os.environ.get (line 454, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"Content-Type": "application/json"
            }
        )
        with urllib.request.urlopen(req, timeout=LLM_TIMEOUT) as resp:
            return json.loads(resp.read())

    try:
Confidence
97% confidence
Finding
with urllib.request.urlopen(req, timeout=LLM_TIMEOUT) as resp:

Tainted flow: 'req' from os.environ.get (line 454, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
data=json.dumps(req_data).encode(),
            headers={"Authorization": f"Bearer {LLM_API_KEY}", "Content-Type": "application/json"}
        )
        with urllib.request.urlopen(req, timeout=10) as resp:
            return json.loads(resp.read())

    try:
Confidence
96% confidence
Finding
with urllib.request.urlopen(req, timeout=10) as resp:

Tainted flow: 'req' from os.environ.get (line 52, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
},
    )
    try:
        with urllib.request.urlopen(req, timeout=LLM_TIMEOUT) as resp:
            data = json.loads(resp.read())
            return data['choices'][0]['message']['content']
    except Exception as e:
Confidence
93% confidence
Finding
with urllib.request.urlopen(req, timeout=LLM_TIMEOUT) as resp:

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README documents a public web app, PWA, and user account system that materially exceed the stated scope of a simple 4-tool search MCP skill. This scope expansion increases the attack surface for agents and users by introducing authentication, session handling, browser-exposed UI, and persistent user data flows that may not be expected from the manifest or allowed by policy.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
Adding multimodal OCR and deep-research agent workflows extends the skill beyond ordinary search into file ingestion and autonomous multi-step processing. Those features can handle sensitive uploaded content and trigger additional external requests, making the skill more dangerous than its search-focused description suggests.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README lists many HTTP endpoints and service capabilities not reflected in the manifest's claim of a standard MCP server with 4 tools. This mismatch can mislead integrators and agents about what the skill can do, undermining least-privilege assumptions and hiding additional externally reachable functionality.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documentation instructs the operator to disable Bot Fight Mode or whitelist traffic in Cloudflare, including use of elevated API token permissions. Those are security-control changes on the operator's infrastructure, and embedding them in a search skill makes the skill capable of encouraging broad reduction of perimeter protections to restore functionality.

Description-Behavior Mismatch

Medium
Confidence
72% confidence
Finding
The skill documentation adds realtime quote retrieval and multimodal OCR search endpoints that are not reflected in the manifest description. Undisclosed expansion of capabilities increases the chance that users will provide images or rely on financial outputs without understanding the additional data flows and risks.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The UI tells users the payment system is not open, but the script still attempts to create payment orders and redirect to a payment URL. This inconsistency can expose unintended payment functionality, confuse users, and increase the chance that a test or partially configured payment backend is reachable from production pages.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This deployment document for a web-search skill includes operational guidance for SSH access, nginx configuration inspection, Docker container interaction, and direct PostgreSQL queries. Those capabilities exceed the stated purpose of the skill and materially increase the chance that an agent or operator will use the skill context to perform infrastructure administration, expanding blast radius from search functionality into full server and database access.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This documentation embeds code that searches multiple local credential sources, including a server-specific .env file and ~/.hermes/auth.json, which goes beyond the core purpose of a search skill and normalizes credential discovery behavior. In an agent-skill context, this is dangerous because it encourages implementers to grant the skill access to unrelated secrets and increases the chance of secret exposure or reuse in ways users do not expect.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation describes loading API credentials not only from an explicit environment variable but also from a server-local .env file and a user-scoped ~/.hermes/auth.json. For a web-search skill, reaching into user-specific auth storage broadens the credential exposure surface and can cause unrelated secrets to be consumed or exfiltrated to an external LLM endpoint if the code is reused in agent environments.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill reads API credentials from unrelated home-directory files, including ~/.hermes/auth.json, even though answer summarization should only use explicitly provided configuration. Accessing ambient local secrets broadens the trust boundary and can silently repurpose credentials from other tools for outbound network calls.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The docstring states that environment variables are optional configuration, but the implementation silently searches local files for API keys. This mismatch undermines informed consent and makes operators less likely to realize the skill is accessing and reusing other local secrets.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The code reads credentials and endpoint configuration from a fixed local .env path, expanding the trust boundary beyond process environment into a file on disk. In an agent/server setting, that can enable unauthorized credential use or endpoint redirection if the file is writable, symlinked, or populated by another component.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script enumerates host uptime, memory usage, high-CPU processes, service status, listening ports, and nginx error logs, which are operational diagnostics unrelated to a web-search skill’s declared purpose. In an agent-integrated skill, such host introspection can leak sensitive infrastructure details and expands the skill’s capabilities into local system reconnaissance, making post-compromise or misuse more effective.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The helper reads a fixed local .env file and overrides runtime environment values, granting this component direct access to locally stored secrets and configuration outside its stated entity-card lookup role. In an agent skill, hard-coded secret-file access expands privilege unexpectedly and can expose credentials or redirect traffic to attacker-controlled endpoints if that file is modified.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The module persists LLM-generated cards to a local JSON cache, adding write-side effects to what appears to be a lookup helper. While not immediately dangerous by itself, undocumented persistence can retain untrusted model output and create integrity, privacy, or disk-abuse issues over time.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The file adds image upload and OCR behavior to a skill advertised primarily as web search, expanding collection and processing of user data beyond the declared scope. In an agent ecosystem, this kind of capability drift is dangerous because users and callers may grant trust or permissions based on the narrower manifest description.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill executes local OCR on user-supplied content, which is a materially different capability from simple web search and increases the attack surface through native parsing of untrusted files. Even without shell injection, invoking external processors on attacker-controlled inputs can enable denial of service or exploitation of parser vulnerabilities in the OCR stack.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Uploaded images are persistently written to disk under a fixed server path with no retention control shown, creating unnecessary storage of potentially sensitive user content. This increases privacy and breach impact because screenshots often contain credentials, personal data, or confidential business information.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements payment and subscription management inside a skill advertised as a web search/research MCP server, creating a strong capability mismatch. In agent ecosystems, hidden billing logic is risky because operators may grant the skill network, filesystem, or callback exposure assuming it only performs search, increasing the chance of unauthorized monetization or abuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The module accesses Alipay-related credentials and contains billing state logic even though the stated skill purpose is search/research. This increases risk because secrets and payment flows are introduced into a context where users and administrators would not reasonably expect financial processing, widening the blast radius if the skill is compromised or misused.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
index.html:1414

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/verify.py:6