Back to skill

Security audit

us3-uploader-encrypted

Security checks across malware telemetry and agentic risk

Overview

This is a real US3 file uploader, but it is too broad and can automatically send many generated files to external storage without a clear consent or sensitivity check.

Install only if you intentionally want agents to upload generated files to your UCloud US3 bucket and share signed links. Use a dedicated least-privilege bucket and key, avoid automatic uploads of sensitive or private files, preinstall or pin the ufile dependency instead of allowing runtime installation, and make sure uploaded files can be deleted or links revoked when needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from ufile import filemanager, config
except ImportError:
    print("Installing ufile SDK...")
    os.system("pip3 install -q ufile")
    from ufile import filemanager, config

# Read from environment variables
Confidence
93% confidence
Finding
os.system("pip3 install -q ufile")

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill clearly requires access to environment variables, shell execution, and network egress to upload files, yet it declares no permissions. That mismatch prevents meaningful policy review and can let a broadly-triggered skill exfiltrate generated or local files using hidden capabilities, especially because the skill is marked always-on and mandates uploads for any file output.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Installing a Python package during execution is unnecessary for the stated purpose and creates a supply-chain exposure path. A compromised package index response, typosquatting event, or unexpected package update could lead to execution of attacker-controlled code when the skill runs.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger text is extremely broad and mandatory, requiring this skill whenever a task involves almost any file generation, sharing, export, or sending. In context, that means a network-capable uploader can be invoked for routine actions without a specific user request for third-party upload, increasing the chance of unintended external disclosure of sensitive outputs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The usage guidance instructs the agent to automatically upload completed files to external object storage and share direct download links, but it provides no caution about whether the file may contain sensitive, user-private, regulated, or proprietary data. In this skill's context, that omission is materially risky because the skill is explicitly mandatory for delivering generated files, which can normalize exfiltration of data to a third-party storage service without user confirmation or data classification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document shows environment-variable setup for public and private US3 credentials but does not warn that these are secrets that must not be logged, embedded in code, echoed to users, or committed to repositories. In an agent setting, such examples can easily lead to accidental secret exposure through transcripts, shell history, debugging output, or copied setup instructions, enabling unauthorized access to the storage bucket.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly tells users to run `filemgr-config --action getconfig`, which is likely to print the current US3 configuration and may include sensitive API credentials. In the context of an agent skill whose purpose is file upload and sharing, operators may execute this in interactive terminals, recorded sessions, logs, or screenshots, increasing the chance of accidental credential disclosure and subsequent unauthorized bucket access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.