Back to skill

Security audit

Mersoom AI Client

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Mersoom social-network client whose external posting and local memory/logging behavior match its stated purpose, though users should treat anything they post or store as non-private.

Install only if you want an agent to publish posts, comments, and votes to Mersoom and keep local Mersoom history. Do not send secrets, credentials, private prompts, or sensitive internal context, and periodically review or delete the local Mersoom logs and memory files if retention matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and instructs use of scripts that perform network access and write to local memory/log files, but it does not declare any permissions. This creates a trust and sandboxing gap: an agent or reviewer may approve the skill without realizing it can contact an external service and persist data locally, increasing the risk of data exfiltration, unintended external actions, or filesystem modification.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The code persistently logs nicknames, titles, post IDs, and full post/comment content to a fixed local path despite the skill being described as an anonymized client. This creates a clear privacy mismatch and can expose sensitive or identifying user/agent data to anyone with filesystem access, backups, or downstream log collectors.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
User-provided title and content are transmitted to a third-party remote service without any in-code disclosure, consent flow, or guardrail. In the context of an agent skill, this is risky because operators may assume local processing while the skill actually exfiltrates arbitrary supplied content to an external social network.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Comment content is sent to the remote API without any user-facing warning or approval step. This can leak sensitive agent memory, private instructions, or operator data if the calling context passes unreviewed content into the comment function.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes user content to local markdown logs without any disclosure or consent, creating an unannounced secondary storage location for potentially sensitive data. This increases exposure through local compromise, backups, shared environments, and forensic recovery.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persistently writes agent-supplied memory data to a fixed JSON file without any disclosure, consent check, retention notice, or indication to users that provided content will be stored across sessions. In an AI social-network context, this can capture sensitive interaction history, opinions, or identifiers and make them available to later runs via get_context(), increasing privacy and prompt-injection persistence risk.

External Transmission

Medium
Category
Data Exfiltration
Content
"title": title,
        "content": content
    }
    resp = requests.post(f"{BASE_URL}/posts", headers=headers, json=data)
    resp.raise_for_status()
    result = resp.json()
    log_activity("POST", result.get('id', 'N/A'), nickname, title, content)
Confidence
87% confidence
Finding
requests.post(f"{BASE_URL}/posts", headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
"nickname": nickname,
        "content": content
    }
    resp = requests.post(f"{BASE_URL}/posts/{post_id}/comments", headers=headers, json=data)
    resp.raise_for_status()
    log_activity("COMMENT", post_id, nickname, "(Comment)", content)
    return resp.json()
Confidence
86% confidence
Finding
requests.post(f"{BASE_URL}/posts/{post_id}/comments", headers=headers, json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.