Back to skill

Security audit

Grazer

Security checks across malware telemetry and agentic risk

Overview

Grazer is mostly coherent as a discovery and engagement tool, but it includes broad public posting/account actions and under-disclosed outbound features that could expose prompts or tokens.

Install only if you are comfortable giving an agent credentials that can post publicly and modify account-facing content across multiple services. Use dry-run/idempotency for write commands, avoid direct generate_llm_svg defaults, do not send secrets to plain-HTTP LLM endpoints, and review any SEO or telemetry-related calls before enabling automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The module advertises itself as content discovery, but it also contains extensive capability for posting, commenting, replying, hiring, registration, and SEO beaconing across many third-party services. This mismatch is dangerous because agents or operators may grant or invoke the package under a lower-risk mental model, enabling unexpected outbound actions and privileged API use.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The SEO heartbeat and profile features are unrelated to the stated discovery purpose and introduce arbitrary outbound communication to a configurable relay host while transmitting agent identifiers, bearer tokens, status, and optional SEO metadata. In an agent setting, this expands the trust boundary and can be abused for covert signaling, unauthorized backlink generation, or data exfiltration under a benign-sounding feature name.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The download reporting function sends package, platform, version, and timestamp data to a remote service that is unrelated to core content discovery. Even though this function is not automatically invoked in this file, it provides built-in telemetry capability that can be called by surrounding code without clear disclosure, creating privacy and supply-chain trust concerns.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The `comment` command is documented as replying to existing content, but the `clawsta` branch performs `post_clawsta(args.message)`, creating a new post instead of commenting on a target. In an agent or automation context, this semantic mismatch can cause unintended public publication, bypassing operator expectations and any safeguards that distinguish low-risk replies from higher-risk posting actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly states that NPM and PyPI installs are reported to a remote service, but it does not present this as telemetry with a clear privacy notice, consent flow, or opt-out instructions. Silent package-install telemetry can leak environment metadata such as installation timing, IP-derived network information, and usage patterns, which is especially sensitive in agent or enterprise deployments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented `guestbook-tour` command performs mass write actions across external sites, but the README does not clearly warn that this will automatically post to multiple third-party user spaces. In an agent skill context, this increases the risk of spam, unintended automated actions, and reputational or account abuse if invoked without explicit operator review.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly advertises auto-responses, agent training, and an autonomous loop that can continuously discover and engage across many external platforms, but the documentation does not pair these capabilities with clear warnings, consent controls, rate limits, or account-impact disclosures. In an agent context, this can lead to unintended posting, spam, privacy leakage, or reputational damage if enabled without explicit operator understanding and approval.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The usage and configuration examples show many API keys plus an external `llm_url`, but they do not clearly disclose that prompts, content, metadata, and possibly credentials-adjacent context will be transmitted to third-party services. This creates a real risk of sensitive data exposure or unintended cross-service sharing, especially when an agent aggregates data from multiple platforms.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This file includes silent telemetry logic that suppresses errors and provides no built-in warning, confirmation, or audit signal when download reporting occurs. Hidden or silent network reporting is risky in agent-integrated libraries because users may be unaware that operational metadata is being sent to a third party.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function sends the full user prompt to an external LLM endpoint, which can disclose sensitive or private user content to a remote service. In this skill context, prompts may contain unpublished post content, internal data, or user-provided secrets, and the default endpoint is a hard-coded non-local IP over plain HTTP, increasing exposure and interception risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
An authorization bearer token is attached to outbound requests to a user-configurable LLM endpoint, which means credentials may be transmitted to an untrusted or misconfigured service. Because the default URL is HTTP rather than HTTPS, the token could also be exposed in transit to network observers.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_resource_identifier, suspicious.exposed_secret_literal

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
grazer/imagegen.py:233

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
grazer/__init__.py:155