Copy Brain

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed research workflow for creating public-figure persona skills, using optional third-party search APIs and saving a user-confirmed output file.

Install only if you are comfortable using Tavily, ScrapeBadger, and RedFox for research. Do not include confidential names, private investigation terms, secrets, or sensitive URLs in searches, and review any generated persona skill before reusing it because it can shape future agent reasoning.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill requires environment variables, performs network access, and instructs saving files, but does not explicitly declare permissions. This creates a transparency and consent problem: a user or hosting platform may believe the skill is purely prompt-based when it actually accesses local configuration and external services. In a skill ecosystem, undeclared capabilities weaken sandboxing, review, and user trust, and can enable unexpected data exposure or file modifications.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The declared purpose frames the skill as a reasoning/persona tool, but the instructions also direct collection of external content, checking local environment variables, invoking third-party APIs, and writing output artifacts. That mismatch is dangerous because users may not expect operational behaviors that touch local state and external services, which increases the chance of unreviewed data flows, privacy issues, and overbroad execution in automated environments. The skill also minimizes concern by presenting these actions as normal setup, which can obscure the true attack surface.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This script adds a general-purpose external content collection capability that is materially unrelated to the declared skill purpose of replicating a public figure's reasoning style. In an agent skill, such hidden or unjustified data-access functionality increases the risk of covert data gathering, policy bypass, or repurposing the skill for surveillance/content harvesting under a misleading description.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The code implements article search and retrieval against an external service without an evident connection to the advertised 'copy-brain' behavior. This mismatch is dangerous because users and reviewers may grant the skill broader trust than warranted, while the agent gains an undeclared capability to fetch third-party content that could be used for profiling, scraping, or prompt/context manipulation.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This script requires a REDFOX_API_KEY and sends data to a third-party Xiaohongshu scraping/API service, which is unrelated to the declared purpose of creating a 'thinking skill' from a public figure. In a mismatched skill, hidden outbound collection capability is dangerous because users may invoke it expecting local reasoning behavior while their queries or targets are transmitted externally.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file behavior is for Xiaohongshu search/detail retrieval, while the skill metadata claims it replicates a public figure's thinking style. This capability mismatch is a security issue because it conceals external data acquisition under an unrelated persona/reasoning description, undermining informed consent and making abuse or covert collection harder for users and reviewers to detect.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The work-query path sends a user-provided work UUID to the external RedFox API without any visible notice to the user at execution time. While the parameter itself is not highly sensitive by default, undisclosed outbound requests reduce transparency and can expose user-supplied identifiers or usage patterns to a third party.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The detail command forwards user-provided work IDs or Xiaohongshu links to an external RedFox API without any in-file warning or consent checkpoint. Even if the identifiers are often public, this still leaks user interest, target selection, and submitted URLs to a third party, which is more concerning in a skill whose stated purpose does not suggest external transmission.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script forwards arbitrary user-supplied search queries to a third-party API with no warning, consent, or sensitivity check. In this skill context, users may paste private research terms, names, or sensitive investigative prompts assuming they are used locally, so silent transmission to an external provider creates a real privacy and data-handling risk.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The description/activation text is broad enough that ordinary requests about thinking or deciding like a public figure in a scenario could unintentionally trigger this skill. Because the skill is designed to replicate a person's reasoning and decision logic, accidental invocation could override a more appropriate skill or cause the agent to generate impersonation-style outputs in contexts the user did not clearly intend.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal