Security audit

MaybeAI Upload Audit

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but its sharing feature can expose audit reports and nearby local files on a public unauthenticated URL without enough safeguards.

Review before installing. Use short-lived, least-privileged MaybeAI credentials, avoid putting tokens in shell history or shared logs, and do not run --share unless you intend to create a public unauthenticated URL. If sharing is needed, generate the report in a dedicated empty directory, stop the tunnel immediately after use, and avoid using production data or real customer media for testing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Tainted flow: 'upload_url' from requests.post (line 96, network input) → requests.put (network output)

Medium

Category: Data Flow
Content: content_type = mimetypes.guess_type(str(path))[0] or "application/octet-stream" with path.open("rb") as fh: put = requests.put( upload_url, data=fh, headers={"Content-Type": content_type},
Confidence: 77% confidence
Finding: put = requests.put( upload_url, data=fh, headers={"Content-Type": content_type}, timeout=300, )

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The script contains a built-in feature to publicly expose a local file or directory over a trycloudflare tunnel, which is a strong exfiltration capability not necessary for a normal upload/audit helper. In this skill context, generating and optionally sharing an audit report makes the capability more dangerous because reports may contain sensitive business data, uploaded file references, or workflow results that become internet-accessible.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill explicitly automates publishing the generated audit report through a public trycloudflare URL, but it does not require an explicit user confirmation or warn that report contents may include sensitive media, spreadsheet links, audit results, and business data. In this context, the risk is elevated because the skill is designed to process internal product-review artifacts and then expose them on a publicly reachable endpoint, creating a straightforward path for unintended data disclosure.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill requires a bearer token and user-id to operate but provides no guidance on secure handling, storage, masking, or minimization of these credentials. Although requesting credentials is functionally necessary for the workflow, the absence of safety guidance increases the chance they are exposed in command history, logs, screenshots, or downstream tooling.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The document explicitly states it was validated with real user tokens and real production workflow executions, and then provides detailed production endpoints, workflow identifiers, artifact IDs, spreadsheet URLs, and operational guidance. Even without embedding the token values themselves, this normalizes unsafe testing against live user data and exposes sensitive internal implementation details that could enable misuse, privacy violations, or facilitate follow-on attacks against production systems.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document instructs use of authenticated requests with both a bearer token and user-id against external workflow endpoints, but provides no safety guidance, scope restrictions, or handling requirements for those credentials. In an agent-skill context, this can normalize exfiltration or misuse of account-bound secrets and enable unauthorized workflow execution under the user's identity.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The notes describe uploading user-provided images, writing derived analysis into a remote spreadsheet, and then auditing that sheet, all without clearly warning that files and generated data leave the local environment and may modify remote state. In a skill, undocumented remote upload and write behavior can cause privacy violations, unintended disclosure of proprietary content, and destructive or hard-to-reverse data changes.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: This code makes a local file or entire directory publicly accessible over the internet via a trycloudflare tunnel with no explicit consent prompt, no scope restriction, and no warning that directory contents may be exposed externally. In an agent or automation context, this is dangerous because a user may intend local processing only, while the skill silently converts private local data into remotely reachable content.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script uploads user-specified local files to external services with no strong disclosure at the point of use about what is being sent, where it is sent, and that the content leaves the local environment. In an agent skill, this is security-relevant because skills may be run by users who assume local processing, creating a meaningful risk of unintended data exfiltration.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The script can publish a generated HTML report to a public trycloudflare URL without a strong warning, access control, or explicit acknowledgement that the result is internet-accessible. Because audit reports commonly contain sensitive findings, source URLs, and uploaded artifact details, this creates a high-risk accidental data exposure path in this context.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal