Back to skill

Security audit

人群宇宙投放追踪周报

Security checks across malware telemetry and agentic risk

Overview

The skill appears to generate the advertised internal weekly report, but it automatically uses SSO credentials and publishes sensitive business data without clear consent or sharing limits.

Install only if you are authorized to access the relevant RedBI dashboards and publish the resulting reports. Before running it, confirm the dashboard scope, report recipients, Redoc visibility, preview-server lifetime, and whether local SSO cookie use is acceptable for your organization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares broad operational behavior including local file reads, file writes, and shell execution, but does not declare permissions or constrain those capabilities. In this context, the undocumented capabilities are security-relevant because the workflow reads local credential material, writes generated artifacts, and launches services, increasing the attack surface and reducing review transparency.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill directly reads SSO cookies from a local token file and reuses them in network requests, which is a credential-access pattern. This is dangerous because it normalizes credential harvesting inside a skill and could enable unauthorized access, session misuse, or lateral movement if the cookie is exposed, logged, or repurposed beyond the intended reporting task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow performs authenticated network access using SSO-derived credentials and downloads data, yet it does not clearly inform the user that their session credentials and internal data will be used this way. This is dangerous because sensitive data processing occurs without transparent consent boundaries, increasing the risk of unauthorized access expectations and accidental data handling violations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill mandates starting a local HTTP preview service and publishing a Redoc document link, but does not warn users that report contents will be exposed over HTTP and uploaded to a documentation system. This is risky because the generated report may contain internal business data, and accidental externalization or broader internal exposure could leak sensitive information.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The cover-image retrieval flow uses SSO cookies to access pages and fetch assets, but the skill does not disclose this authenticated web access to the user. This is dangerous because privileged credentials are being sent to web endpoints as part of scraping logic, which expands the credential exposure surface and may violate least-privilege expectations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation includes a ready-to-run example that obtains an SSO cookie and immediately uses it in an authenticated request to an internal service, without any warning about credential handling, data sensitivity, or scope of access. In an agent skill context, this normalizes automated authenticated access to internal data and may lead operators or downstream tooling to exfiltrate or process protected dashboard exports without explicit consent or review.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script obtains an authenticated SSO cookie and immediately uses it to query a protected internal API and later download files, but it provides no explicit user consent, scope limitation, or warning that authenticated access and potentially sensitive data transfer will occur. In an agent-skill context, this is dangerous because execution can silently reuse a user's enterprise session to access and export internal data beyond what the user may expect from a simple report-generation workflow.

External Transmission

Medium
Category
Data Exfiltration
Content
COOKIE=$(cat /home/node/.token/sso_token.json | python3 -c "import sys,json; print(json.load(sys.stdin).get('cookie',''))")

# Step 2:查询最新下载任务列表
curl -s -X POST "https://redbi.devops.xiaohongshu.com/api/download/task/list" \
  -H "Cookie: $COOKIE" \
  -H "Content-Type: application/json" \
  -d '{"pageNo":1,"pageSize":30}'
Confidence
90% confidence
Finding
curl -s -X POST "https://redbi.devops.xiaohongshu.com/api/download/task/list" \ -H "Cookie: $COOKIE" \ -H "Content-Type: application/json" \ -d

External Script Fetching

High
Category
Supply Chain
Content
-H "Cookie: ${SSO_COOKIE}" \
  "https://www.xiaohongshu.com/explore/${nid}")
img_url=$(echo "$PAGE" | grep -o 'og:image" content="[^"]*"' | head -1 | sed 's/og:image" content="//;s/"//')
curl -s --max-time 15 -H "Referer: https://www.xiaohongshu.com/" "$img_url" -o /tmp/covers/$nid.jpg
```
- 文件 > 50KB 才算成功(小于说明是占位图)
- base64 内嵌:`data:image/jpeg;base64,xxx`,禁止外链
Confidence
92% confidence
Finding
curl -s --max-time 15 -H "Referer: https://www.xiaohongshu.com/" "$img_url" -o /tmp/covers/$nid.jpg ``` - 文件 > 50KB 才算成功(小于说明是占位图) - base64 内嵌:`data:image/jpeg;base64,xxx`,禁止外链 - 缓存 base64 到 `covers_b

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.