Alibabacloud Quickbi Smartq

Security checks across malware telemetry and agentic risk

Overview

This QuickBI skill is coherent, but it needs review because it can upload business files, create and persist identity data, and install or overwrite generated skills.

Install only if you intend to use Alibaba Cloud QuickBI for these files, dashboards, and datasets. Use least-privilege QuickBI credentials, avoid global credential storage where possible, review changes to ~/.qbi and workspace .qbi folders, and require explicit confirmation before any generated skill is installed or an existing skill name is reused. Do not upload sensitive or regulated documents unless your organization approves QuickBI processing and the report workflow's online search behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (34)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: use_shell = platform.system() == 'Windows' and ' ' in libreoffice_cmd # 使用 libreoffice 转换 result = subprocess.run( [ libreoffice_cmd, '--headless', '--convert-to', 'docx', '--outdir', str(tmpdir), str(file_path)
Confidence: 89% confidence
Finding: result = subprocess.run( [ libreoffice_cmd, '--headless', '--convert-to', 'docx', '--outdir', str(tmpdir), str(file_path)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Windows 下如果路径包含空格，需要使用 shell=True use_shell = platform.system() == 'Windows' and ' ' in libreoffice_cmd result = subprocess.run( [ libreoffice_cmd, '--headless', '--convert-to', 'pdf', '--outdir', str(tmpdir), str(file_path)
Confidence: 89% confidence
Finding: result = subprocess.run( [ libreoffice_cmd, '--headless', '--convert-to', 'pdf', '--outdir', str(tmpdir), str(file_path)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to read ACCESS_TOKEN and global configuration under the user's home directory, which extends data access beyond the immediate task of analyzing QuickBI data. Reading broad environment and home-scoped config can expose unrelated secrets or identifiers if the runtime contains more than the narrow fields the skill actually needs.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The automatic trial flow registers a user based on a device-unique identifier and persists the resulting user token to a global config file without a clear consent step. Device-based registration and cross-session persistence create tracking and privacy risk that is not necessary for many analysis tasks and may surprise users.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill documents automatic user registration based on a device identifier and persistent writeback of the resulting userId to ~/.qbi/config.yaml. That expands the skill from analysis/querying into identity provisioning and durable local state mutation without clear user consent, creating privacy, account-management, and least-privilege risks if invoked unexpectedly.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The documented code path includes organization user lookup and creation APIs even though the skill is presented as dataset/file Q&A. Mixing analytics with organization-management actions increases the blast radius: a routine analysis request could trigger account provisioning in the backend, which is unrelated to the user's immediate task and may violate expected boundaries and approval workflows.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs executing a local shell command to install the generated skill into the skill center, which goes beyond passive dashboard analysis and causes a persistent local environment change. In a documentation-driven agent flow, this creates a real risk of silent or unexpected system modification if the agent follows the instructions without an explicit confirmation boundary.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The documented helper functions persist configuration and credentials to global or workspace-scoped files, which introduces lasting side effects beyond the stated dashboard-generation purpose. Storing API keys or tokens without strong consent, scope restriction, and secure handling can expose secrets to other processes, users, or future sessions.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The documentation states that when `user_token` is absent, the skill will automatically derive a device-based identifier, register a user through an organizational API, and persist the resulting `userId` into `~/.qbi/config.yaml`. That expands the skill from passive data analysis into identity provisioning and persistent local state modification, which increases privacy, consent, and unauthorized account-creation risk. In this context, a data-insight skill handling uploaded business files should not silently create accounts or write credentials/config without explicit user approval.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The module requires `useOnlineSearch: true` in the attachment payload, which expands the skill from a bounded Quick BI report-generation flow into forced external web access. This increases data-exposure and prompt-injection risk because user queries and possibly file-derived context may be sent to or influenced by untrusted internet content even when the user only expects internal report generation.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The workflow performs automatic user registration and writes identifiers back into a persistent global config file, which goes beyond report generation into account provisioning and durable state mutation. This can create unauthorized accounts, leak identifiers across sessions, and violate least-privilege expectations for a skill that users may assume is only generating a report.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This code implements persistent host identification by reading Linux machine identifiers and storing a reusable device ID under the user's home directory. For a Quick BI analysis/document parsing skill, this capability is not necessary to fulfill the stated functionality, so it creates unnecessary privacy and tracking risk and could enable user/device correlation across sessions without meaningful disclosure or consent.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The code automatically provisions a user by deriving an account identifier and hostname from the local device, sends that data to a remote service, and then persists the returned user token into a global config file. This is broader than the advertised analysis functionality and creates a privacy and identity-management risk because it silently links a device to a remote account and leaves durable credentials on disk.

Context-Inappropriate Capability

Low

Confidence: 78% confidence
Finding: Report chat creation sets needWebSearch/useOnlineSearch to true unconditionally, so uploaded content and prompts may be processed in a workflow that also invokes external web search. This expands data flow beyond the core Quick BI scope and can cause unexpected external exposure of user queries or file-derived context.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill supports file Q&A and document parsing through Quick BI and remote OCR/API workflows, but the description does not clearly warn that uploaded files and extracted document contents may be transmitted to external services. Users may provide sensitive spreadsheets, contracts, invoices, or images without informed consent about remote processing.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The configuration guidance tells the agent to write server domain, API keys, secrets, and user identifiers into workspace and possibly home-directory config files, but the skill description does not clearly disclose this persistence. Persisting credentials without prominent warning increases the risk of accidental secret exposure through source control, shared workspaces, backups, or multi-user systems.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs the agent to create directories, copy files, write SKILL.md and config.yaml, and then install the result, but it does not require a prominent user-facing warning or confirmation before these filesystem and environment changes. This is dangerous because users may believe they are requesting analysis only, while the agent performs persistent local modifications and potentially overwrites existing content.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill description indicates use of API credentials, access tokens, file upload, dashboard retrieval, and remote Quick BI/OpenAPI interactions, but it does not clearly warn users that dashboard contents and credential-backed data may be transmitted to external services. In a data-analysis context, this can expose sensitive business metadata, document contents, or token-scoped data without adequate transparency.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The template instructs the skill to load API credentials and user tokens from multiple locations and to solicit configuration from the user, but it does not require a clear user-facing notice about what secrets are being accessed, where they are stored, or how they will be used. In a skill context that interacts with external BI services, this can lead to unintentional exposure of sensitive credentials or normalization of pasting secrets into chat without informed consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The template directs the skill to send user questions, dataset identifiers, and user identity/token-derived information to an external Quick BI API, yet it does not require a visible disclosure that data will leave the local environment. Because this skill is specifically designed for data analysis against remote services, the absence of network/privacy transparency increases the risk of users submitting sensitive business questions or data without realizing they are being transmitted externally.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly states that when local parsing fails it will fall back to remote OCR via the QuickBI API, which means document contents may be transmitted off-host. Because the instructions do not require an explicit user warning or consent step before upload, users may unknowingly send sensitive PDFs, contracts, invoices, HR files, or legal documents to an external service.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The workflow and examples direct the tool to save extracted text and structured outputs to JSON/Excel files under an output directory, but there is no explicit warning that potentially sensitive extracted data will be persisted to disk. This can create unintended local data exposure through shared machines, insecure directories, backups, or later access by other users and processes.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger rules are broad enough that ordinary requests about uploaded documents or analysis could be routed into this report module unnecessarily. In context, that matters because this module can upload files, create backend jobs, and invoke external search, so misrouting can cause unintended data transfer and actions beyond the user's likely intent.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The boundary between this module and the question-answering module is underspecified, making it easy for the agent to choose the wrong capability. Because the report path performs more powerful operations, ambiguous routing increases the chance of unnecessary backend processing, file uploads, and persistence that the user did not specifically request.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The function sends userId and the full natural-language question to remote OpenAPI endpoints, which may contain personal, confidential, or regulated data. In this skill context, transmitting query text is functionally necessary for smart table selection, but the absence of minimization, consent/notice, or visible privacy controls increases privacy and compliance risk if sensitive content is included.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal