Security audit

XO Protocol

Security checks across malware telemetry and agentic risk

Overview

XO Protocol is a disclosed API integration for user-authorized dating trust, profile, and public-post data, with sensitive but purpose-aligned access.

Install only if you trust XO Protocol with OAuth-approved dating-related data. Use the minimum scopes needed, protect and rotate the API key and token, and be careful before allowing an AI client to browse profile or newsfeed data.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill instructs users to configure environment variables containing sensitive credentials (`XO_API_KEY`, `XO_ACCESS_TOKEN`) and to run an MCP server that makes network calls, but the skill does not declare corresponding permissions. This creates a transparency and consent gap: hosts and reviewers may underestimate what the skill can access, while the skill can handle secrets and transmit data externally.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The API markets itself as a dating-intelligence and trust layer, but also exposes a `newsfeed` endpoint that returns post content for other users via a `tmp_id`. In an agent context, that materially expands the data surface from scoring/verification into content surveillance, increasing privacy risk and the chance of over-collection beyond what an integrator or user may reasonably expect.

Description-Behavior Mismatch

Medium

Confidence: 75% confidence
Finding: The top-level description promises that private information is never exposed without consent, yet the authorization-code generation endpoint is described as requiring no API key and relying only on IP rate limiting. Even if the endpoint does not directly return profile data, weak front-door protection around consent and code issuance can enable abuse of the auth flow, such as code farming, consent spoofing attempts, or token acquisition against misconfigured clients.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README documents access to sensitive relationship-oriented data such as user preferences and public posts, but the usage guidance does not clearly instruct integrators to present strong user-facing disclosures, consent UX, data minimization, or downstream handling restrictions. In a dating/intimacy context, even self-disclosed preferences and social activity can be highly sensitive, so omission of privacy warnings can lead to over-collection or misuse despite the API's scope model.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal