Back to skill

Security audit

Skill Smartcaptcha

Security checks across malware telemetry and agentic risk

Overview

The skill matches its SmartCaptcha purpose, but several documented defaults can weaken the bot-protection control it is meant to help users build.

Install only if you want Yandex SmartCaptcha-specific help and review generated code before production use. For sensitive actions, consider fail-closed or risk-based fallback instead of unconditional fail-open, reject unexpected or empty host values when domain checks are disabled, keep server keys in backend secrets, and pin or update example dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly instructs use of environment variables and remote network calls (`/validate`, cloud APIs, package/script fetching), yet no declared permissions are present. This creates a governance and transparency gap: an agent may rely on capabilities the platform has not explicitly approved, making review, containment, and least-privilege enforcement harder.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document first states that when domain validation is disabled, the server must verify the `host` returned by `/validate`, but then advises that an empty `host` may be treated as trusted. Accepting a missing origin value as trustworthy defeats the purpose of origin verification and can let attackers submit tokens obtained from unauthorized contexts or during service anomalies, especially if implementers copy this guidance directly.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code intentionally fail-opens when SmartCaptcha validation times out, returns a non-200 status, or encounters a network error, returning true and allowing the request through. This lets attackers bypass the anti-bot control simply by causing validation failures or exploiting transient network issues, undermining the primary security purpose of the captcha.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code explicitly fails open on timeout, network error, or non-200 response from the captcha service by returning True and allowing the request through. In an anti-bot control, this weakens the protection boundary because an attacker can succeed whenever validation is unavailable or disrupted, making abuse of forms, login, or registration endpoints easier.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The workflow explicitly recommends fail-open behavior when the SmartCaptcha validation endpoint returns a non-200 response, which allows requests to bypass the anti-bot control during outages or induced connectivity failures. In the context of protecting login, registration, and form endpoints from bots, this materially weakens the security boundary and can be abused by attackers who trigger or exploit validator unavailability.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The workflow explicitly recommends fail-open behavior when SmartCaptcha server validation returns a non-200 response. In a bot-protection workflow, this means attackers can bypass anti-automation controls simply by causing validation outages, network failures, or response handling errors, allowing protected actions to proceed without a verified captcha result.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The workflow explicitly recommends fail-open behavior when the SmartCaptcha validation endpoint returns a non-200 response, which can allow protected actions to proceed during outages or induced network failures. In the context of bot protection for forms, login, and registration, this weakens the control and creates a bypass path attackers may exploit by triggering or taking advantage of validation failures.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation text is unusually broad, directing the agent to invoke this skill not only for explicit SmartCaptcha requests but for general anti-bot protection scenarios even when 'captcha' is never mentioned. That can cause unintended routing, override more appropriate skills, and increase the chance that secrets, infrastructure details, or security guidance are handled by the wrong capability.

Natural-Language Policy Violations

Medium
Confidence
72% confidence
Finding
The skill metadata and content are written entirely in Russian and strongly imply Russian-language operation without checking user preference. While not a direct exploit primitive, this can degrade user comprehension of security-critical instructions, cause misconfiguration, and increase the risk of unsafe implementation if the consuming user expects another language.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly instructs developers to enable cleartext HTTP traffic in Android for testing, but it does not pair that guidance with a strong warning that unencrypted transport exposes captcha tokens and surrounding app traffic to interception or manipulation on hostile networks. In a mobile/WebView integration guide, this is particularly risky because developers may copy the setting into broader environments or forget to remove it, weakening transport security beyond local-only testing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly recommends treating non-200 responses from the CAPTCHA validation service as success (fail-open). In an anti-bot control, this creates a bypass condition: an attacker who can induce validation outages, timeouts, network errors, or blocked egress may get requests accepted without solving the CAPTCHA, undermining login, registration, and form abuse protections.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Зависимости примера Flask + SmartCaptcha. Подробности проверки токена: ../../docs/server-validation.md
flask>=3.0
requests>=2.31
Confidence
86% confidence
Finding
flask>=3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Зависимости примера Flask + SmartCaptcha. Подробности проверки токена: ../../docs/server-validation.md
flask>=3.0
requests>=2.31
Confidence
88% confidence
Finding
requests>=2.31

Known Vulnerable Dependency: express==4.19.2 — 1 advisory(ies): CVE-2024-43796 (express vulnerable to XSS via response.redirect())

Low
Category
Supply Chain
Confidence
93% confidence
Finding
express==4.19.2

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.secret_argv_exposure

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
examples/express-fullstack/server.js:8

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
templates/validate.js:24

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
templates/widget-advanced.html:73

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
SKILL.md:106

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
workflows/integrate-mobile.md:44

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
workflows/integrate-react.md:50

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
workflows/integrate-website.md:46