Back to skill

Security audit

Star Office UI Master

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real office-dashboard skill, but it combines public exposure, weak default controls, background status sharing, and local data/API-key handling in a way users should review before installing.

Install only if you are comfortable running a local web service that can be exposed publicly. Before using any public URL, set strong FLASK_SECRET_KEY and ASSET_DRAWER_PASS values, rotate or replace default join keys, disable or protect memo display if it may contain private notes, and avoid entering a Gemini API key unless you understand where it is stored and who can reach the dashboard.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (31)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
f"magick '{td}/f_*.png'{prep} "
                f"-tile {cols_eff}x{rows_eff} -background none -geometry +0+0 {quality_flag} '{out_path}'"
            )
            rc = os.system(cmd)
            if rc != 0:
                raise RuntimeError("ImageMagick 拼图失败")
            return out_path, cols_eff, rows_eff, frames, out_fw, out_fh
Confidence
97% confidence
Finding
rc = os.system(cmd)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
f"-vf '{vf}' "
            f"{ffmpeg_quality} '{out_path}' >/dev/null 2>&1"
        )
        if os.system(cmd2) != 0:
            raise RuntimeError("ffmpeg 拼图失败")
        return out_path, frames, 1, frames, out_fw, out_fh
Confidence
97% confidence
Finding
if os.system(cmd2) != 0:

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
if frames <= 0:
            cmd1 = f"ffmpeg -y -i '{upload_path}' '{td}/f_%04d.png' >/dev/null 2>&1"
            if os.system(cmd1) != 0:
                raise RuntimeError("动图抽帧失败(Pillow/ffmpeg 都失败)")
            files = sorted([x for x in os.listdir(td) if x.startswith("f_") and x.endswith(".png")])
            frames = len(files)
Confidence
96% confidence
Finding
if os.system(cmd1) != 0:

Tainted flow: 'LOCAL_STATUS_URL' from os.environ.get (line 55, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
headers = {}
        if LOCAL_STATUS_TOKEN:
            headers["Authorization"] = f"Bearer {LOCAL_STATUS_TOKEN}"
        r = requests.get(LOCAL_STATUS_URL, headers=headers, timeout=5)
        if r.status_code == 200:
            data = r.json()
            state = normalize_state(data.get("state", "idle"))
Confidence
85% confidence
Finding
r = requests.get(LOCAL_STATUS_URL, headers=headers, timeout=5)

Tainted flow: 'STATE_FILE' from os.environ.get (line 15, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
}

def save_state(state):
    with open(STATE_FILE, "w", encoding="utf-8") as f:
        json.dump(state, f, ensure_ascii=False, indent=2)

if __name__ == "__main__":
Confidence
92% confidence
Finding
with open(STATE_FILE, "w", encoding="utf-8") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to perform shell commands, read/write local files, access environment variables, and expose a local service publicly, yet the skill metadata does not declare any permissions or capability boundaries. This mismatch can cause operators or orchestration systems to authorize or invoke the skill without understanding that it can modify the host and make networked changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The advertised description presents the skill as a simple one-click dashboard deployment, but the instructions and analyzer context indicate substantially broader behaviors including asset management, API key handling, AI image generation, remote agent join/push behavior, desktop shells, and service restart capabilities. Understating these behaviors is dangerous because users may consent to a low-risk UI deployment while actually enabling a tool with data modification, credential handling, remote connectivity, and service-management reach.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill is presented as an office UI deployer, but it reads markdown memo files from a sibling memory directory outside the app root and exposes their contents over an unauthenticated API. That creates an information disclosure issue because a visitor can retrieve potentially sensitive local notes unrelated to the UI service.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The backend invokes an external Gemini generation script and supplies stored API credentials plus a reference image to another service. That is not inherently malicious, but it expands trust boundaries and can leak prompts, images, and billing-bearing credentials if the feature is misused or compromised; the risk is heightened because the asset editor authentication is weak by default.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This media-conversion block executes local tooling such as ffmpeg and ImageMagick on uploaded content, including through shell-based os.system calls. In a network-facing service, parsing attacker-supplied media with powerful native tools is a meaningful attack surface and can lead to command execution, parser exploitation, or server-side resource abuse.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code comments and route description say new agents should join with pending authorization, but the implementation immediately marks them approved when they possess a valid join key. This weakens the intended trust model and allows anyone with a leaked or guessed key to join and start pushing state without owner review.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The Tauri app starts a backend process and allows the interpreter path to be overridden via the STAR_BACKEND_PYTHON environment variable. That means whoever controls the launch environment can cause the app to execute an arbitrary local binary under the user's privileges, which is beyond normal read-only UI behavior and increases the attack surface.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The page loads Phaser from a third-party CDN at runtime, which gives an external service direct control over executable code inside the Tauri UI. In a desktop-like Tauri context, this is more dangerous than a normal website because compromised CDN content, dependency hijacking, or network interception could alter application behavior and potentially interact with privileged Tauri APIs exposed to the frontend.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The IPC handler accepts a renderer-supplied URL and passes it directly to shell.openExternal without allowlisting schemes or destinations. If the renderer content is ever compromised or influenced by backend-controlled data, an attacker could trigger opening arbitrary links or platform URI handlers, which can lead to phishing, execution of dangerous custom protocols, or unexpected app launches.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code inserts server-provided memo content into the DOM using innerHTML after only replacing newlines with <br>, which does not sanitize attacker-controlled HTML or scriptable markup. If the /yesterday-memo response can be influenced, this enables DOM XSS in the Electron/web UI and could be especially dangerous in an Electron context where XSS may lead to privileged actions depending on configuration.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The UI explicitly collects a third-party Gemini API key from the user and persists it via client actions to backend config endpoints. Even though the input is masked, this creates a credential-handling surface inside a dashboard skill; compromise of the page, backend, logs, or local storage/config handling could expose the key and enable unauthorized API usage and billing abuse.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The frontend exposes a helper that performs a POST to /set_state, which is a state-changing control action rather than passive visualization. Even though it is labeled for testing, shipping this capability in production UI can let any user with browser access invoke workflow/state transitions if the backend does not strictly enforce authentication and authorization.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Memo content returned by /yesterday-memo is inserted with innerHTML after only replacing newlines, so any HTML in data.memo will be interpreted by the browser. If an attacker can influence memo content, this becomes a stored or reflected XSS path that can execute script in users' browsers, steal tokens, or manipulate the UI.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The page collects and saves a GEMINI API key through the browser UI and sends it to backend endpoints, but this file provides little assurance about how that credential is stored, scoped, or protected. In a skill whose primary purpose is a pixel-office dashboard, adding third-party API credential handling expands the attack surface and can expose users to credential theft, misuse, or unintended paid API consumption if the backend or surrounding auth model is weak.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script silently probes hard-coded local workspace paths and reads state metadata unrelated to the stated UI deployment purpose. In context, this expands the skill from deployment into local activity surveillance, creating an undisclosed collection channel for task/status information that is later transmitted off-host.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata frames this as a one-click office UI deployment aid, but this file actually performs continuous local status collection and remote telemetry push. That mismatch is security-relevant because users may run it expecting deployment behavior while it persistently monitors and exfiltrates operational state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly instructs users to expose the dashboard through a public Cloudflare Tunnel and share the resulting public URL, but it does not warn that the dashboard may reveal live agent activity, status text, yesterday memos, and potentially other operational metadata to anyone with the link. In the context of an agent dashboard, that omission increases the risk of unintended data exposure and reconnaissance, especially if users assume the tunnel is safe by default.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to expose a local dashboard via Cloudflare Tunnel and share the resulting public URL, but it does not prominently warn that this makes the service internet-accessible and may expose agent status, notes, or administrative functionality if authentication is weak or misconfigured. In the context of an agent dashboard that supports remote status updates, guest joins, and config endpoints, missing exposure guidance increases the chance of unsafe deployment.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The skill is framed to proactively do as much setup as possible with minimal user questioning, but it lacks explicit trigger boundaries, exclusions, or approval checkpoints. In context, that broad autonomy is risky because the same document later includes cloning code, installing dependencies, writing files, launching services, and exposing the app publicly, all of which can occur without sufficiently specific user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends creating a public Cloudflare Tunnel and sharing the resulting URL, but it does not clearly warn the user that this exposes a locally hosted administrative interface to the Internet. That is especially dangerous here because the same skill documents a default asset-editor password of 1234 and supports runtime configuration changes, making unauthorized access or tampering much more plausible once exposed.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.install_untrusted_source

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
electron-shell/main.js:168

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
frontend/vendor/phaser-3.80.1.min.js:1

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
desktop-pet/src-tauri/tauri.conf.json:17