Back to skill

Security audit

内控-集团客户部FY审计

Security checks across malware telemetry and agentic risk

Overview

This audit skill has a legitimate business purpose, but its bundled scripts can overwrite or delete audit database history and expose sensitive payout details without clear safeguards.

Install only if you control the workspace and are comfortable reviewing scripts before use. Treat normal audit/report generation separately from rebuild, reparse, restore, and analysis scripts; require backups and explicit approval before running anything that can DELETE, DROP, or UPDATE SQLite tables. Avoid uploading the database or skill directory to personal cloud storage unless that is approved for the business data, and mask bank account, account-holder, and email fields in terminal logs and reports where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions, yet its documented workflow clearly performs file reads, file writes, report generation, SQLite updates, and likely shell/script execution. This creates a transparency and governance gap: operators may invoke the skill under the assumption of low privilege while it can access and modify local data and produce persistent artifacts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared description presents the skill as an audit/recalculation tool with incremental inserts and no historical modification, but the broader behavior includes table rebuilds, destructive reparse workflows, direct database modifications, and analysis of sensitive payout/bank-account data. This mismatch undermines informed consent and can lead users to authorize a tool that is materially more invasive and destructive than advertised.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script performs an UPDATE against the production SQLite dataset even though the skill is described as an audit/reporting tool that should not modify historical data. In an audit context, silent mutation undermines data integrity, contaminates evidence, and can change the very records being reviewed, which makes findings unreliable and creates a path for unauthorized data tampering.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file presents itself as analysis-only, but the implementation contains a hidden data-fixing UPDATE. This mismatch increases operator trust and reduces scrutiny, making unintended or unauthorized state changes more likely during a workflow that users reasonably expect to be read-only.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script deletes existing month data from the database before reparsing, directly contradicting the skill's stated behavior of not modifying historical data. In an audit context, this is dangerous because it can destroy evidence, break reproducibility, and allow prior records to be silently replaced if reparsing logic or source files have changed.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The docstring describes the script as a batch re-parse operation, but the implementation first deletes stored data, which obscures a destructive side effect. Misleading labeling is dangerous in audit tooling because operators may run the script assuming a safe reprocessing step, unintentionally altering historical records and undermining data integrity.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script deletes all rows from raw_records and brand_audit before reprocessing, which directly contradicts the stated behavior of appending new months without modifying historical data. In an audit context, this can destroy the historical evidence base, break traceability, and enable accidental or intentional loss of prior audit results.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code unconditionally drops and recreates the existing SQLite table if it already exists, which destroys prior records instead of appending new monthly data. In an audit skill whose stated purpose is preserving historical data for reconciliation, this can erase evidence, break audit trails, and invalidate downstream analyses.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script unconditionally deletes all existing records for the supplied month from both raw_records and brand_audit before rebuilding them. In a skill that explicitly claims it supports incremental appends without modifying historical data, this is dangerous because a malformed input workbook, partial parse, or operator mistake can silently destroy previously trusted month data and replace it with incomplete or incorrect results.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script unconditionally executes `DROP TABLE IF EXISTS raw_records` and recreates the table, which destroys previously stored audit data every time it runs. In the context of an internal audit skill that explicitly claims to support incremental monthly appends without modifying history, this is dangerous because it can erase audit evidence, break traceability, and allow accidental or intentional loss of historical records.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script explicitly executes `DELETE FROM brand_audit` and `DELETE FROM monthly_audit`, rebuilding audit tables from scratch. That directly contradicts the skill description's append-only/no-historical-modification claim and can destroy historical audit state, traceability, and prior review evidence if run on production data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
After generating the Excel report, the script updates existing `brand_audit` and `monthly_audit` rows with corrected values, mutating previously stored audit results. In an audit context this is especially risky because it rewrites historical evidence and can conceal discrepancies between original and corrected computations without preserving provenance.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script unconditionally drops and recreates the core SQLite tables before re-importing all discovered months, which directly contradicts the skill’s stated append-only, non-destructive behavior. In an audit workflow this can destroy historical state, invalidate prior audit artifacts, and cause loss or corruption of evidence if the rebuild is run against incomplete or altered source files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The storage rule says old files are deleted before uploading the new version, but no explicit warning, preview, or confirmation step is required. This can cause unintended data loss, especially in an audit context where prior report versions may be needed for traceability, retention, or dispute resolution.

Vague Triggers

Low
Confidence
91% confidence
Finding
The instruction to 'update SKILL.md historical error review section' after audit reflection creates an implicit self-modifying behavior without clear authorization boundaries, scope limits, or approval steps. In an agent setting, this can cause prompt/instruction drift over time, accidental corruption of the skill's behavior, or persistence of incorrect or adversarial content into future runs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The backup rule directs copying the database file and the entire Skill directory to personal cloud storage, but provides no warning, consent check, data-classification gate, or sanitization requirement. Because this skill handles business audit data and likely sensitive internal logic, such exfiltration to personal storage can leak confidential records, credentials, prompts, or proprietary procedures outside approved enterprise controls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script modifies database records immediately without any user-facing warning, confirmation, or explicit opt-in. In a financial audit skill, this is especially risky because routine execution can silently alter sensitive records, defeating traceability and violating the expectation of non-destructive analysis.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs irreversible deletion of month data without user confirmation, safety checks, or warning output. In a financial audit workflow, such silent destructive behavior is especially risky because it can erase historical evidence and make later discrepancies difficult to investigate or attribute.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Destructive deletion of audit data without warning, confirmation, or safety guardrails creates a serious integrity risk. In this skill's context, historical audit records are especially sensitive because they support reconciliation, reproducibility, and later review, so accidental execution could irreversibly remove important evidence.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script performs a destructive database operation without any confirmation, safeguard, or rollback path beyond printing a message. In an internal audit context, accidental or automated execution could silently wipe critical financial history, causing integrity loss and undermining forensic accountability.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script prints highly sensitive financial and personal data, including bank account numbers, account-holder names, and rebate emails, directly to stdout without masking or minimization. In shared terminals, logs, agent traces, or monitoring systems, this can lead to unauthorized disclosure of regulated financial data and facilitate fraud or privacy violations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The database rebuild is destructive and occurs without any confirmation, safeguard, or warning, so an operator can unintentionally wipe the `raw_records` table simply by running the script. In an audit workflow, this increases operational risk because historical reconciliation data may be lost before errors are noticed, undermining audit integrity and recoverability.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.