Back to skill

Security audit

EchoMark

Security checks across malware telemetry and agentic risk

Overview

EchoMark is a coherent tool-rating skill, but it needs review because it broadly encourages automatic ratings while using plaintext cloud communication and exposing a generated API key.

Install only if you want an agent-maintained tool-rating history. Prefer local-only mode unless you intentionally want cloud sharing, avoid sensitive comments, override the API URL to a trusted HTTPS endpoint before registering, and treat any printed API key as exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to run local Python commands, store API keys on disk, write to a local SQLite database, and optionally send ratings to a remote server, yet it declares no permissions. That mismatch can hide meaningful file, shell, environment, and network access from the permission model, making it easier for the skill to trigger sensitive actions without explicit review.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The configuration hardcodes a public IP HTTP endpoint as the default API target, which causes the skill to contact an external service even when no explicit operator configuration is provided. Because the service is reached over plaintext HTTP and the skill also manages an API key locally, this creates unnecessary risk of data exfiltration, traffic interception, and unreviewed outbound communication that is not clearly justified by the local-rating storage design.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script adds agent registration, API key provisioning, and local credential storage behavior that is materially broader than the skill's stated rating/querying purpose. That mismatch is security-relevant because it introduces credential-handling and outbound account-enrollment functionality users and reviewers may not expect, increasing the chance of silent trust-boundary expansion and misuse.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
Printing the API key to stdout exposes secret material to terminal history, logs, calling wrappers, CI output, and agent transcripts. In an agent/tooling environment, stdout is often captured automatically, so this can turn a newly issued credential into an immediately recoverable secret for other processes or operators.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger guidance says to run before selecting a tool and after using any external tool, which is extremely broad and can cause the skill to activate during many normal workflows. Because the skill performs shell commands, local persistence, and possible network submission, over-invocation increases the chance of unnecessary data sharing, API key handling, and disruption of user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code writes the issued API key to disk automatically without an interactive warning or confirmation, which can surprise users and create unintended persistent secret storage on shared systems. Although permissions are tightened on Unix, this still leaves credential residue on disk and may be insecure or ineffective on some platforms.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script transmits agent metadata to a remote cloud registration endpoint without any user-facing disclosure at the point of use. In a skill presented as a tool-rating assistant, hidden or under-disclosed network registration behavior is more dangerous because users may not expect enrollment with an external service or the associated data flow.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.