小弟办公秘书团队

Security checks across malware telemetry and agentic risk

Overview

This office assistant skill is mostly purpose-aligned, but it asks for broad office-data access and command/file authority without enough scoping, consent, or safety controls.

Install only if you are comfortable giving an office-assistant skill access to sensitive documents, meetings, email text, calendar content, generated files, and possibly command execution. Use it with explicit prompts, avoid feeding confidential data unless needed, review generated files before sharing, and prefer a version that scopes file paths, removes broad exec access, confirms scheduling/email actions, and documents retention and cleanup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill advertises file-reading and file-writing style capabilities such as formatting Markdown into DOCX, reading from files/stdin, using a config file, and saving outputs, but the manifest does not declare corresponding permissions. This creates a trust and review gap: users and the platform cannot accurately assess what local data the skill may access or modify, which is risky for an office assistant handling potentially sensitive documents.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 87% confidence
Finding: The declared description presents the skill as an office secretary team, but the document also describes additional behaviors including mindmap generation, multi-agent orchestration, DOCX export, and local file saving. This mismatch matters because users may grant trust based on a narrower purpose while the skill actually performs broader processing and persistence of content, increasing the chance of unexpected handling of sensitive office data.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The document-manager is granted the `exec` capability even though its stated role is document formatting and conversion. In an agentic workflow, arbitrary execution materially increases the blast radius of prompt injection or malformed document content, because a compromised or misled agent could run local commands or unsafe scripts rather than only performing bounded file transformations.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The generated HTML embeds an external script from a CDN without pinning, integrity validation, or an offline-local copy. If the CDN asset is compromised, replaced, or blocked, opening the generated HTML can execute untrusted JavaScript in the user's browser context, creating a supply-chain and script-injection risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill describes scanning calendars, pulling unread emails, and collecting meeting/chat records, but it does not mention user consent, scope limitation, or privacy handling. In an office-assistant context, these data sources commonly contain sensitive personal, business, and internal information, so silent access expectations can lead to over-collection or disclosure.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The document management section states that content can be formatted and exported to docx/PDF without warning that files may be created or converted. This can surprise users, cause unintended persistence of sensitive material, or create extra copies in different formats that are harder to track or delete.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README uses very broad natural-language examples such as arranging meetings or organizing documents without defining explicit invocation boundaries, confirmation requirements, or scope limits. In an office-assistant skill, these phrases are highly likely to overlap with ordinary user conversation, which can cause unintended activation or execution of actions on calendars, documents, or meeting workflows.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The routing keywords are very broad common office terms, so ordinary user text may unintentionally trigger specialized processing paths. In a skill that handles meetings, email, documents, and scheduling, accidental routing can expose sensitive content to unnecessary processing steps or cause unintended file creation or task execution.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill is designed to process meeting notes, emails, calendars, and documents, all of which commonly contain confidential business and personal information, but it does not clearly explain data handling, retention, storage, sharing, or consent boundaries. In this context, the missing privacy guidance is more dangerous than usual because office-assistant workflows routinely aggregate multiple sensitive data sources into summaries, drafts, schedules, and saved files.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal