logicx-skill-test

Security checks across malware telemetry and agentic risk

Overview

This LogicX skill appears purpose-built for account API access, but it asks users to share passwords with the agent and handles tokens and network requests in ways that need review before installation.

Install only if you trust the LogicX service and publisher. Prefer browser binding, do not send your password in chat, avoid using the default plain-HTTP IP endpoint for real accounts or payments, and remove ~/.config/logicx/skill-state.json or unlink the agent when you no longer want this machine to retain access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill declares shell-capable execution via required binaries (`curl`, `bash`) but does not declare corresponding permissions or constraints. This weakens the trust boundary for users and hosting platforms because the skill can make arbitrary network requests or run shell logic without an explicit permission signal.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The script accepts arbitrary absolute http:// or https:// URLs, allowing callers to direct requests to any destination instead of only the declared LogicX proxy API. Because the script automatically attaches the agent service key and, when present, the user token, this creates an SSRF-style arbitrary outbound request primitive and can leak credentials to attacker-controlled hosts.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: Unrestricted outbound HTTP is not required for the stated purpose and materially expands the attack surface. In this skill, the risk is amplified because outbound requests may include sensitive Authorization and X-LogicX-User-Token headers, enabling exfiltration or use of the agent as a network pivot to internal or attacker-controlled endpoints.

Natural-Language Policy Violations

Medium

Confidence: 77% confidence
Finding: The skill hardcodes a Chinese login prompt without offering language negotiation or fallback. While not directly a code-execution issue, it can mislead or confuse users during a sensitive authentication flow, increasing the chance that they misunderstand what they are authorizing or what data they are being asked to provide.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The example explicitly tells the user they can send their username and password directly to the agent for login. This normalizes collection of highly sensitive credentials in chat, where they may be logged, retained, exposed to operators, or mishandled by downstream tooling. In this skill context, the danger is elevated because the skill is specifically designed to perform authenticated account actions, making credential harvesting or accidental exposure especially harmful.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The password-login example shows the agent transmitting raw email and password values without any accompanying privacy or sensitive-data warning. Even if the backend endpoint is legitimate, embedding this pattern in examples encourages insecure operational behavior and increases the chance that credentials are collected through chat logs, shell history, telemetry, or other intermediaries. Because this skill enables access to account, order, payment, and password-change functions, compromise of credentials could lead to broad account takeover and unauthorized transactions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation explicitly instructs the agent to collect user email/password and to persist returned user tokens, but it provides no guidance on minimizing credential exposure, avoiding logging, secure storage, masking, or obtaining explicit user consent. In an agent skill context, this increases the chance that highly sensitive secrets are handled unsafely or retained longer than necessary, leading to account compromise if logs, memory, or local storage are exposed.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The document describes impactful account operations such as payment creation/cancellation, password change, and agent unlinking without requiring user confirmation, re-authentication, or warnings about consequences. In an agent-operated environment, this can normalize unsafe execution of destructive or financially significant actions, increasing the risk of unauthorized charges, account lockout, or service disconnection through prompt abuse or operator error.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script stores the user authentication token in a plaintext local state file without explicit user disclosure or consent. Even with chmod 600, plaintext token storage increases exposure to local compromise, accidental backup/sync leakage, or misuse by other processes running as the same user.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly tells the agent to ask users to provide their username/email and password directly in chat as a fallback login method. Collecting credentials in conversational channels is dangerous because chat logs may be retained, exposed to operators, or mishandled by downstream systems, turning the agent into a credential harvesting point.

Ssd 3

High

Confidence: 99% confidence
Finding: The dialogue directly invites the user to provide account credentials to the agent, which is a classic sensitive-data collection anti-pattern. This can train users to disclose passwords to conversational systems and creates an immediate risk of credential exposure via transcripts, monitoring systems, prompt injection side channels, or unauthorized staff access. The surrounding skill context makes this more dangerous because the skill can access user profile, orders, payments, and account-management actions once authenticated.

Session Persistence

Medium

Category: Rogue Agent
Content: # LogicX Skill Interact with the LogicX platform on behalf of the user. All API calls go through the frontend proxy (`/api/proxy/*`). Use `scripts/logicx_api.sh` for every request — never write ad-hoc `curl` commands. ## Rules
Confidence: 88% confidence
Finding: write ad-hoc `curl` commands. ## Rules - Only call `/api/proxy/*` (or `/api/health`). Never call backend `/v1/*` directly. - Default to browser binding. Only ask for email and password if the user e

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal