Back to skill

Security audit

Zopaf Negotiation Engine

Security checks across malware telemetry and agentic risk

Overview

The skill has a useful negotiation purpose, but the package mixes a hosted MCP setup with under-disclosed Claude-backed coaching, telemetry, and session storage for sensitive deal details.

Install only if you are comfortable sending negotiation details to the hosted MCP service and with the package containing under-disclosed Claude-backed web components. For confidential compensation, legal, procurement, M&A, or fundraising negotiations, prefer a reviewed local-only deployment and avoid the bundled web API unless authentication, retention, telemetry, and Anthropic data handling are clarified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (53)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises MCP/networked functionality and, per the static finding, has capabilities such as env, file_write, mcp, and network without declaring corresponding permissions. That creates a trust and sandboxing gap: a host or reviewer may underestimate what the skill can access or exfiltrate, especially because it connects to a remote MCP endpoint.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a significant description-behavior mismatch: the skill claims to be a 'Zero LLM tokens' negotiation math engine, while the finding indicates hidden LLM API usage, chat/session persistence, extraction of deal terms from messages, and unrelated web endpoints. That is dangerous because users may share sensitive negotiation data under false assumptions about processing, retention, and external disclosure, increasing privacy, compliance, and prompt-manipulation risk.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code clearly contradicts the skill metadata: it is not a zero-token local math engine, but an Anthropic-backed conversational agent that sends negotiation data to an external model. This is dangerous because users or downstream systems may rely on the manifest for trust, privacy, and cost assumptions, while the implementation transmits private case information and incurs external-model behavior and billing.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Importing and using the Anthropic client is inconsistent with a skill presented as a zero-token negotiation math engine, indicating undisclosed third-party API access. In this context, the danger is not merely architectural inconsistency: private negotiation background, BATNA, and scoring data are inserted into prompts and sent off-box, creating privacy, compliance, and unexpected-cost risks.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The top-level docstring and class documentation openly describe an LLM-powered agent, reinforcing that the packaged skill does something materially different from its declared purpose. While documentation mismatch alone is not code execution, in a skill ecosystem it is a trust-boundary problem that can mislead reviewers, users, and automated policy systems about data flow and risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The /unlock endpoint allows any caller to mark an arbitrary session as unlocked with only a session_id and no authentication, authorization, or payment verification. Even though the paywall is currently disabled in /chat, this endpoint represents a broken access control pattern that could be abused immediately if gating is re-enabled or if unlocked state affects other premium behavior elsewhere.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The session and history endpoints expose internal state and chat history based solely on possession of a short session_id, with no authentication or authorization checks. Because session IDs are only 8 characters derived from a UUID prefix, they are weaker than full UUIDs and could enable unauthorized retrieval of potentially sensitive negotiation content and inferred preferences.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata and docstring claim 'Zero LLM tokens,' but the implementation clearly initializes Anthropic clients and makes multiple model calls. This is a supply-chain trust and transparency failure: operators may approve or deploy the skill under a false assumption that no external LLM processing or data sharing occurs.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The module docstring explicitly says the coach is powered by Claude, directly contradicting the manifest claim that the skill uses zero LLM tokens. Such contradictory self-description is dangerous because reviewers and users may rely on the manifest for risk classification, privacy expectations, and cost controls while the code behaves differently.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata and positioning claim a 'Zero LLM tokens' negotiation math engine, but this file imports and uses the Anthropic API to process negotiation content. That mismatch is security-relevant because it conceals external data egress and remote model dependency from users who may rely on the zero-token claim for privacy, compliance, or cost controls.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code sends full negotiation messages to an external Anthropic service for extraction, creating a clear data exfiltration path for potentially sensitive business, legal, or financial negotiation content. In the context of a negotiation engine advertised as math-only and zero-token, this is more dangerous because users would reasonably not expect transcripts to leave the local environment.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module docstring describes local simulation and scoring, but omits that message interpretation is outsourced to an external LLM. This hidden behavior can mislead operators reviewing the file into underestimating privacy, compliance, and reproducibility risks associated with running the script.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The plugin description presents the skill as a local, zero-token negotiation engine, but the implementation actually forwards functionality to a remote MCP server over HTTP. This mismatch is security-relevant because users and reviewers may make trust, privacy, and deployment decisions based on the claim that computation is local when data is in fact sent to an external service.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill introduces outbound network access to a third-party hosted service that is not clearly justified by the stated purpose or transparently disclosed in the metadata. In practice, negotiation inputs, preferences, or sensitive business context could be transmitted off-host to the remote service, expanding the attack surface and creating privacy, integrity, and availability risks.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill claims 'Zero LLM tokens' yet includes the Anthropic SDK, which is inconsistent with the stated functionality and increases attack surface. Even if unused, adding an external LLM client can enable unintended outbound AI/API interactions, hidden telemetry, or future code paths that contradict the declared trust model.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata promises a 'Zero LLM tokens' negotiation math engine, but the implementation sends negotiation transcripts to Anthropic for deal extraction. This is a real security and trust issue because it causes undisclosed external data exfiltration and materially misrepresents the skill's behavior to users who may rely on the no-LLM claim for privacy, cost, or policy reasons.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code transmits full negotiation transcripts to an external LLM service even though the stated purpose is a local math/optimization engine. In this context, the unexplained API call expands the attack surface, introduces privacy and compliance risk, and can leak sensitive negotiation content to a third party without necessity justified by the skill description.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The module and function docstrings describe local orchestration and extraction behavior, but the implementation actually depends on an external Anthropic service. This mismatch is dangerous because operators and reviewers may approve or deploy the skill under false assumptions about data locality and dependency boundaries, increasing the chance of accidental sensitive-data exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata claims a 'Zero LLM tokens' negotiation math engine, but the code imports and uses Anthropic for core functionality. This is a real integrity and trust violation because users may enable the skill expecting deterministic local computation, while sensitive negotiation content is actually sent to an external model provider.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
Preference inference is advertised as MILP/math-based, but the code sends negotiation history to an LLM and trusts its JSON output to estimate counterpart weights. This is dangerous because it silently substitutes an opaque remote inference service for a local optimization engine, creating undisclosed data exposure and misleading security expectations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file implements a full LLM-driven conversational negotiator that impersonates a party and generates negotiation text, which materially exceeds a narrow 'math engine' capability. In this skill context, that mismatch is risky because users may grant access or trust decisions based on the belief that the tool only computes Pareto/iso-utility outputs rather than conducting autonomous dialogue.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code transmits offer history and counterpart responses to an external LLM service for analysis without justification consistent with the stated zero-token math-engine purpose. Negotiation transcripts can contain sensitive business terms, priorities, and strategy, so undisclosed external transmission creates a meaningful confidentiality and compliance risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill uses an LLM to act as the negotiating party and generate strategic responses, despite being presented as a math engine. This expands the agent's operational scope from computation to autonomous persuasion, increasing the risk of unreviewed outputs, sensitive-data sharing, and user misunderstanding about what the skill actually does.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The layout imports and renders Vercel Analytics in a skill described as a zero-token, local negotiation math engine, creating an undisclosed third-party telemetry path. Even if used for ordinary product metrics, analytics can collect usage metadata and potentially negotiation-related interaction data, which is misaligned with the stated local/offline-style purpose and increases privacy and trust risk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Telemetry is not justified by the stated function of a local optimization engine, so its presence expands the data exposure surface without an apparent operational need. In the context of negotiation tooling, metadata about deal exploration, counteroffers, or usage patterns can itself be commercially sensitive, making unjustified analytics materially risky.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
web/lib/api.ts:1