Back to skill

Security audit

shixinchao

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple external chat API wrapper, but it is too broadly triggered and can send ordinary user questions to a third-party service without clear opt-in notice.

Install only if you are comfortable with user questions being sent to developer.jointpilot.com. Avoid using it with secrets, personal data, or confidential business content, and verify or fix the API key handling before relying on it because the script currently does not read API_KEY from the environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documents outbound network access to a third-party API and use of an API key, but it does not declare corresponding permissions. This creates a transparency and governance gap: users or the platform may not realize that user prompts are transmitted externally, which can lead to unintended data exposure and policy bypass.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description presents the skill as a generic 'test' skill with no concrete behavior, while the documentation shows it forwards user input to an external authenticated chat API and processes streaming responses. This mismatch is dangerous because it obscures material behavior from reviewers and users, increasing the chance that sensitive prompts are exfiltrated to a third party without informed consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a generic test script, but it actually forwards user input to an external chat API using bearer-token style authentication. This mismatch reduces transparency and can mislead users or reviewers about data egress and the real capability of the skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code contains outbound network chat-completion behavior that is not justified by the stated purpose of the skill. Unjustified remote execution paths increase the risk of unintended data exposure, policy bypass, and misuse because reviewers and users cannot easily infer why external transmission is necessary.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger condition states the skill activates automatically whenever the user asks a question, which is overly broad for a skill that sends content to an external service. Broad invocation raises the risk of accidental activation on unrelated conversations and unintended transmission of sensitive user data to the remote API.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends user-provided input to a third-party API without meaningful user-facing notice or consent beyond generic API-call comments. This is dangerous because sensitive prompts may be exfiltrated off-platform without the operator understanding that their input is being transmitted externally.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.