Back to skill

Security audit

Pangolinfo AI SERP: AI Mode Output + AI Overviews

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it should be reviewed because it gives inconsistent guidance about API-key handling and includes broad unrelated Pangolinfo workflows beyond its stated Google SERP purpose.

Install only if you are comfortable giving the Pangolinfo MCP/skill access to a PANGOLINFO_API_KEY and with the bundled instructions referencing broader Amazon/WIPO Pangolinfo workflows. The publisher should clarify one credential flow, remove the contradictory 'no API key env var' claim, and keep this skill scoped to the declared Google SERP and trends tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill claims to be 'MCP-native' with no local API-key environment-variable handling, yet later instructs the agent to read `PANGOLINFO_API_KEY` from the environment. This inconsistency can cause the agent to access sensitive credentials in ways users did not expect and undermines trust in the skill's security model.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is described as a Google SERP/Trends tool, but the embedded core rules include broad Amazon and WIPO workflows unrelated to the declared scope. This scope expansion increases attack surface by encouraging use of additional tools and behaviors the user did not request, making unintended data access or over-privileged actions more likely.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document contradicts itself about whether API-key environment-variable usage exists. Contradictory security instructions are dangerous because agents may follow the more permissive path, leading to unexpected secret handling and weakening operator control over authentication boundaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill tells the agent to read API keys from environment/config and not ask the user again, without a clear warning that this involves sensitive credentials. That encourages silent secret use and normalization of credential access, which can surprise users and increase the chance of accidental disclosure or misuse in a compromised or overly broad agent environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.