NowPlaying XHS

Security checks across malware telemetry and agentic risk

Overview

This movie recommendation skill is not clearly malicious, but it needs review because it mixes location-based web lookups, API keys, global browser tooling, and lingering local server examples with inconsistent disclosure.

Review before installing or running. Use approximate city-level location rather than precise location when possible, do not run commands that print API keys, and avoid the chart workflow unless you can serve only a dedicated temporary directory and stop the server immediately. Only install Agent Browser globally or add the cron job if you explicitly want those behaviors.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (18)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares no permissions, yet the instructions clearly require network access, local file writes under /tmp, subprocess execution, and browser-driven automation. This mismatch undermines user and platform trust because the runtime behavior is broader than what a reviewer or permission system would expect.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 82% confidence
Finding: The skill's stated purpose is movie recommendation and nearby showtimes, but the behavior described by analysis includes unrelated scraping/report-generation actions and gaps in the promised functionality. Description-behavior mismatch is dangerous because users may authorize or trigger the skill under false assumptions about what it actually does.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The skill instructs creation of local HTML files, starting a local HTTP server, and rendering screenshots purely for chart generation. That introduces unnecessary file-system and service-exposure capabilities for a recommendation skill, increasing attack surface and enabling misuse of local resources.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Directing installation of a global browser automation tool with optional dependency installation grants far broader control than needed for fetching movie listings. Global browser automation can access arbitrary sites and perform interactions beyond the declared movie-recommendation scope.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The visualization workflow uses shell execution to write files, start background services with nohup, sleep, open browsers, and take screenshots. These subprocess and persistence behaviors exceed what is needed for the core function and create opportunities for unintended command execution and lingering processes.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The radar-chart flow repeats the same risky pattern of local file creation, HTTP serving, browser automation, and screenshot extraction. Repetition of these behaviors compounds attack surface and normalizes unnecessary privileged actions in a low-risk user scenario.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The troubleshooting section instructs users to print live secrets with commands like `echo $BOCHA_API_KEY` and `echo $TAVILY_API_KEY`, which can expose credentials in terminal history, screen recordings, shared logs, or support screenshots. While this is documentation rather than executable code, it normalizes unsafe secret-handling and increases the chance of accidental credential disclosure.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manual trigger phrases are broad natural-language requests like '现在有什么好看的电影' and '帮我选一部电影', which can plausibly appear in ordinary conversation and cause unintended invocation of the skill. In an agent environment, overly generic triggers increase the chance of accidental network access and unsolicited external-content retrieval without the user clearly intending to run this specific skill.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The README states that the skill fetches data from Rotten Tomatoes and Variety but does not clearly warn users that invoking the skill causes outbound network requests. While expected for this functionality, the lack of disclosure reduces transparency and can surprise users in restricted or privacy-sensitive environments.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger phrases are broad enough to match ordinary movie-related conversation, which can cause the skill to activate unexpectedly. Overbroad triggering is dangerous because it may invoke network lookups and location-dependent behavior without clear user intent to use this specific skill.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill prioritizes user location to refine nearby cinema results but does not include a clear privacy notice or consent step before using that information. Location data is sensitive, and transmitting city or area information to third-party search providers increases privacy risk.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # 1. 实时排片（优先使用博查 API） curl -X POST "https://api.bocha.cn/v1/web-search" \ -H "Authorization: Bearer $BOCHA_API_KEY" \ -d '{"query":"猫眼电影 [城市] [片名] 今日排片场次 [日期]"}'
Confidence: 90% confidence
Finding: curl -X POST "https://api.bocha.cn/v1/web-search" \ -H "Authorization: Bearer $BOCHA_API_KEY" \ -d '{"query":"猫眼电影 [城市] [片名] 今日排片场次 [日期]"}' # 2. 票房数据（博查 API） curl -X POST "https://api.bocha.cn/v

External Transmission

Medium

Category: Data Exfiltration
Content: #### 方案 B：博查 API 搜索（实时性较好） ```bash curl -X POST "https://api.bocha.cn/v1/web-search" \ -H "Authorization: Bearer $BOCHA_API_KEY" \ -d '{"query":"猫眼电影 [城市] [片名] 今日排片场次 [日期]"}' ```
Confidence: 90% confidence
Finding: curl -X POST "https://api.bocha.cn/v1/web-search" \ -H "Authorization: Bearer $BOCHA_API_KEY" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # 1. 实时排片（优先使用博查 API） curl -X POST "https://api.bocha.cn/v1/web-search" \ -H "Authorization: Bearer $BOCHA_API_KEY" \ -d '{"query":"猫眼电影 [城市] [片名] 今日排片场次 [日期]"}'
Confidence: 90% confidence
Finding: https://api.bocha.cn/

External Transmission

Medium

Category: Data Exfiltration
Content: -d '{"query":"猫眼电影 [城市] [片名] 今日排片场次 [日期]"}' # 2. 票房数据（博查 API） curl -X POST "https://api.bocha.cn/v1/web-search" \ -H "Authorization: Bearer $BOCHA_API_KEY" \ -d '{"query":"猫眼专业版实时票房 [日期]"}'
Confidence: 89% confidence
Finding: https://api.bocha.cn/

External Transmission

Medium

Category: Data Exfiltration
Content: #### 方案 B：博查 API 搜索（实时性较好） ```bash curl -X POST "https://api.bocha.cn/v1/web-search" \ -H "Authorization: Bearer $BOCHA_API_KEY" \ -d '{"query":"猫眼电影 [城市] [片名] 今日排片场次 [日期]"}' ```
Confidence: 90% confidence
Finding: https://api.bocha.cn/

Session Persistence

Medium

Category: Rogue Agent
Content: write path=/tmp/nowplaying-chart.html content="<html>..." # 2. 启动 HTTP 服务器（后台） exec command="cd /tmp && nohup python3 -m http.server 8888 > /tmp/http.log 2>&1 &" background=true # 3. 等待服务器启动 exec command="sleep 2"
Confidence: 94% confidence
Finding: nohup

Session Persistence

Medium

Category: Rogue Agent
Content: write path=/tmp/nowplaying-charts.html content="<html>..." # 2. 启动 HTTP 服务器（后台） exec command="cd /tmp && nohup python3 -m http.server 8888 > /tmp/http.log 2>&1 &" background=true # 3. 等待服务器启动 exec command="sleep 2"
Confidence: 94% confidence
Finding: nohup

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal