Security audit

Miaoda App Builder

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Miaoda app-building integration, but it can use an API key to create, inspect, and publicly publish apps without enough confirmation and redaction guardrails.

Install only if you intend to use Miaoda and are comfortable giving the skill a Miaoda API key, sending prompts and app details to Miaoda, and potentially consuming account credits. Keep the API base URL on the official Miaoda endpoint, avoid putting secrets or private data in prompts, review history/trajectory output carefully, and require explicit approval before generating or publishing anything publicly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill includes a dedicated conversation-history feature that reconstructs and outputs prior user/agent exchanges for an app. That exceeds the minimum needed for app creation/deployment and can expose sensitive prompts, uploaded file contents, command observations, and agent actions to whoever can invoke the CLI with an app ID and token.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill describes production deployment URLs and later strongly encourages sharing only the public deployment URL, but it does not require an explicit user confirmation or warning before making an application publicly accessible. In this context, publishing can expose generated content, data, or unfinished apps to the internet, so lack of a clear pre-publish warning materially increases the risk of accidental public disclosure.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The conversation-history path can emit full prior conversation content, and the CLI presents it directly without any warning that secrets, personal data, prompts, or file contents may be revealed. In a skill that manages app-building conversations, those transcripts are likely to contain sensitive business logic and credentials pasted by users.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The trajectory polling, SSE streaming, and fetch commands print raw server events verbatim. Those events may include conversation text, metadata, context identifiers, agent actions, and other sensitive state, creating an easy path for inadvertent disclosure into terminals, logs, wrappers, or downstream tooling.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The conversation-history command can output plain-language content from prior user and agent messages, including full content when --full is used. This raises the risk of disclosing sensitive prior instructions, data pasted into chats, file contents, and operational details beyond what is needed for normal app lifecycle actions.

Ssd 3

Medium

Confidence: 95% confidence
Finding: Trajectory polling and streaming emit all events as JSON lines without filtering. Because these events can contain verbatim message content and internal metadata, they can leak sensitive information to shell history, CI logs, monitoring systems, or any parent process capturing stdout/stderr.

Context Leakage

High

Category: Data Exfiltration
Content: app_id: str, fetch_timeout: int = 10, ) -> Optional[str]: """Extract the conversationId (contextId) for an existing app by reading its trajectory. Scans ALL trajectory events and returns the MOST RECENT (last) non-empty contextId found, checking two paths per event:
Confidence: 89% confidence
Finding: Extract the conversation

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.