Back to skill

Security audit

Ora决策人开发专家

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed business contact lookup skill that uses an Ora/Topeasy API key and external service, with privacy-sensitive but purpose-aligned behavior.

Install only if you intend to use Ora/Topeasy for authorized business contact lookup. Expect queries and your OraAgent.key-derived authorization to be sent to the external API, and treat generated temp JSON files as sensitive because they may contain personal contact details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to run Node.js scripts that read a local secret file (`OraAgent.key`) and send user-supplied queries to an external service, yet the metadata does not declare corresponding permissions or capabilities. This creates a transparency and policy-enforcement gap: a host may treat the skill as lower risk than it really is, while the skill still performs network access and local secret use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.