Security audit

my_acceptance_rate_analysis2

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for internal acceptance-rate analytics, but it automatically persists a sensitive browser-derived access token and can send it to configurable endpoints.

Install only if you trust this publisher with the BIGDATA analytics cookie token and internal query results. Prefer using a short-lived token for the current session, avoid --endpoint overrides unless you control the host, and remove BIGDATA_ACCESS_TOKEN from shell profiles or user environment storage after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Tainted flow: 'DEFAULT_ENDPOINT' from os.getenv (line 12, credential/environment) → httpx.post (network output)

Critical

Category: Data Flow
Content: json.dumps(payload, ensure_ascii=False, indent=2), ) response = httpx.post( endpoint or DEFAULT_ENDPOINT, headers={ "Cookie": f"bigdata_access_token={access_token or DEFAULT_ACCESS_TOKEN}",
Confidence: 95% confidence
Finding: response = httpx.post( endpoint or DEFAULT_ENDPOINT, headers={ "Cookie": f"bigdata_access_token={access_token or DEFAULT_ACCESS_TOKEN}", "Content-Type": "ap

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The skill instructs the agent to persist a user-provided access token into process state and long-lived user-level environment storage such as shell profiles or the Windows user environment. For a read-oriented analytics workflow, long-term credential persistence is unnecessary and increases the blast radius of token theft, reuse by other processes, and accidental disclosure in future sessions.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill embeds a credential acquisition and persistence workflow—explicitly telling users to extract a cookie token from browser developer tools and then store it for reuse—despite presenting itself as a staged analysis skill. This hidden expansion of scope materially increases the risk of credential harvesting, secret sprawl, and misuse by downstream commands or other tools.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill does more than read an access token for the current run: it writes the token into process environment variables and persists it into long-lived user locations such as Windows user environment or Unix shell profiles. This expands the blast radius of a secret used for one analysis task, making it available to future sessions, other local processes, and accidental disclosure through logs, shell history, or profile inspection.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code explicitly instructs users to extract an authentication token from browser cookies and provide it to the script, then states that the script will automatically write it somewhere reusable for future sessions. Encouraging manual cookie extraction bypasses safer delegated auth flows and increases the chance of credential theft, mishandling, reuse outside intended scope, and session compromise.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script's design enables token persistence behavior without an explicit confirmation step at the point of use, and comments indicate this is automatic when an explicit token is provided. Persisting secrets without clear user consent is risky because it silently changes the user's environment and leaves behind reusable credentials after the task is complete.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal