Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 91% confidence
- Finding
- 技能声明自己基于 KIE AI API 且需要 KIE_API_KEY,但行为还包括可切换到 LaoZhang API、单独任务查询/轮询,以及理解功能依赖其他凭证。这种描述-行为不一致会误导用户和审计者,导致用户在不了解真实数据流、外部服务和凭证需求的情况下发送图片、视频和提示词到额外第三方服务。
Security audit
Security checks across malware telemetry and agentic risk
This is a user-directed image generation and media understanding skill that uses external AI APIs as expected, with documentation gaps around provider choices and uploads.
Install only if you are comfortable sending prompts and selected images or videos to KIE AI, or to LaoZhang when --use-laozhang is used. Configure only the API keys you intend to use, avoid sensitive media unless allowed by your privacy or compliance requirements, and note that the manifest understates the optional understanding credentials.
65/65 vendors flagged this skill as clean.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal