Back to skill

Security audit

Dexter Research

Security checks across malware telemetry and agentic risk

Overview

This is mostly a disclosed stock-research skill, but it needs Review because it can automatically send generated reports to Feishu and has an under-disclosed hardcoded fallback recipient.

Install only if you understand and want Feishu delivery. Before use, explicitly set FEISHU_USER_OPEN_ID to your own recipient or disable the send_feishu path, use least-privilege Feishu app credentials, rotate any credential resembling the App Secret shown in the documentation, and remember that the skill writes a report and log locally while calling external market-data services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Tainted flow: 'USER_OPEN_ID' from os.environ.get (line 21, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"""推送飞书"""
    import requests
    url = "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id"
    r = requests.post(url,
        headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"},
        json={"receive_id": USER_OPEN_ID, "msg_type": "text", "content": json.dumps({"text": msg})},
        timeout=10)
Confidence
93% confidence
Finding
r = requests.post(url, headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"}, json={"receive_id": USER_OPEN_ID, "msg_type": "text", "content": json.dumps

Tainted flow: 'LOG_FILE' from os.environ.get (line 23, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
ts = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
    line = f"[{ts}] {msg}"
    print(line)
    with open(LOG_FILE, "a", encoding="utf-8") as f:
        f.write(line + "\n")

# ============ 飞书Token ============
Confidence
86% confidence
Finding
with open(LOG_FILE, "a", encoding="utf-8") as f:

Tainted flow: 'OUTPUT_FILE' from os.environ.get (line 22, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_json(code, data):
    """保存JSON"""
    with open(OUTPUT_FILE, "w", encoding="utf-8") as f:
        json.dump({
            "code": code,
            "timestamp": datetime.now().isoformat(),
Confidence
88% confidence
Finding
with open(OUTPUT_FILE, "w", encoding="utf-8") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation describes access to environment variables, outbound network calls, and local file writes, but no corresponding permissions are declared. This creates a capability/visibility gap: operators and users may not realize the skill can exfiltrate data externally or persist outputs locally, which weakens review and containment. In this context, the presence of Feishu messaging and filesystem persistence makes the missing permission declaration more dangerous than a purely local analysis tool.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The stated purpose is stock research/analysis, but the documented behavior also includes sending reports to Feishu and persisting data to local paths. This mismatch can mislead users and reviewers about where data goes and what side effects occur, enabling unintended disclosure of financial queries, derived reports, or user-associated identifiers to external services. Because this skill handles potentially sensitive investment research, undisclosed outbound delivery materially increases risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill's declared purpose is A-share financial research, but it also includes logic to push results to a Feishu account. This mismatch expands the skill's capabilities beyond user expectations and increases the risk of covert or accidental data disclosure, especially because recipients are configured out-of-band.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Accessing Feishu application credentials and a recipient identifier is not necessary to compute stock research results. In this skill context, collecting and using unrelated messaging credentials broadens the trust boundary and creates an unnecessary path for outbound data transmission.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code sends the generated research summary to an external Feishu messaging API, which is unrelated to the core task of local stock analysis. In context, that makes the behavior more dangerous because users invoking a research skill would not reasonably expect their analysis to be forwarded to a preconfigured external recipient.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically attempts Feishu delivery once a token is available, without any user-facing warning, confirmation, or approval step. This creates a silent exfiltration vector for research content and metadata, which is particularly risky in an agent skill where users expect analysis, not unsolicited external sharing.

Ssd 3

High
Confidence
99% confidence
Finding
The documentation contains a concrete Feishu App Secret in plaintext. Even if presented as an example, embedding what appears to be a real secret in a distributable skill file can lead to credential leakage, unauthorized API use, account compromise, or abuse of the associated Feishu integration. In a skill that already performs external messaging, exposed credentials are especially dangerous because they can be used immediately for impersonation or data exfiltration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.