Back to skill

Security audit

Giggle Files Management

Security checks across malware telemetry and agentic risk

Overview

This skill uploads local files to a public asset service as advertised, but its instructions are too broad and could expose private files without clear confirmation.

Install only if you want this agent to publish files through Giggle’s public asset service. Use it only for files you explicitly want hosted publicly, avoid secrets or confidential documents, and confirm which API key will be used before uploading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes a shell script (`bash {baseDir}/scripts/upload.sh ...`) but does not declare permissions or clearly constrain shell execution. Undeclared shell capability increases the chance that a host system or agent grants broader execution than reviewers expect, reducing transparency and making misuse harder to govern.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script accepts STORYCLAW_API_KEY as a fallback credential for an unrelated Giggle asset upload operation, which is cross-service credential reuse. This can cause unintended use of a broader or different secret than the user expected and may exfiltrate data to an external service under the authority of the wrong account.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comment explicitly documents intentional preference ordering between a Giggle key and a Storyclaw key, reinforcing that cross-service credential reuse is by design rather than accidental. In a file-upload skill that transmits local files externally, this increases risk because it normalizes using unrelated secrets to authorize outbound operations.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill gives very broad instructions to 'always upload' whenever the agent needs to send, show, or share a file, including files it has read or generated. This can cause the skill to be invoked in many normal workflows without checking whether the file contains secrets, regulated data, or content that should never be made externally accessible.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill encourages uploading files and returning public/download URLs but does not prominently warn that this creates externally accessible links and may expose sensitive data. Without that warning, an agent or user may treat upload as a routine display mechanism and unintentionally disclose private local or generated content to a public CDN.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script uploads arbitrary local file contents to external endpoints and registers them as public assets without any user-facing warning, confirmation, or disclosure at execution time. In an agent skill context, this is dangerous because users may invoke it on sensitive local files without realizing the contents will leave the system and become publicly accessible.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to upload any file it needs to show the user, including files read from disk or produced by other tools, then share the resulting URL. In context, this creates a direct semantic path from local file access to public disclosure, which is especially dangerous because the destination is a public asset service rather than an access-controlled private store.

External Transmission

Medium
Category
Data Exfiltration
Content
CONTENT_TYPE="$(detect_content_type "$CUSTOM_NAME")"

# --- Step 1: Get presigned URL ---
PRESIGN_RESP="$(curl -sS -X POST "$API_BASE/get-presigned-url" \
  -H "Content-Type: application/json" \
  -H "Accept: */*" \
  -H "x-api-key: $API_KEY" \
Confidence
89% confidence
Finding
curl -sS -X POST "$API_BASE/get-presigned-url" \ -H "Content-Type: application/json" \ -H "Accept: */*" \ -H "x-api-key: $API_KEY" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
fi

# --- Step 3: Register asset ---
REGISTER_RESP="$(curl -sS -X POST "$API_BASE/register" \
  -H "Content-Type: application/json" \
  -H "Accept: */*" \
  -H "x-api-key: $API_KEY" \
Confidence
88% confidence
Finding
curl -sS -X POST "$API_BASE/register" \ -H "Content-Type: application/json" \ -H "Accept: */*" \ -H "x-api-key: $API_KEY" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.