Siluzan CSO

Security checks across malware telemetry and agentic risk

Overview

The skill’s core content and account-management purpose is understandable, but its installer makes broad system and cross-agent changes that users should review before installing.

Install only if you are comfortable with a global CLI that can access Siluzan credentials and perform media-account actions. Prefer manual installation over the one-click script, review the install script first, avoid running remote shell installers with sudo, check whether npm registry settings were changed, and confirm exactly which assistant skill directories will be modified.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (25)

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The skill states that account-related actions must first determine whether the target is an advertising account or an operational media account, but later guidance encourages direct account queries without preserving that gate. This inconsistency can cause the agent to act on the wrong account domain, leading to unauthorized data exposure, mistaken operations, or cross-business workflow confusion.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The documentation advertises support for additional platforms (`douyin`, `channel`) that are outside the skill metadata’s declared supported scope, which explicitly limits content publishing/operations to YouTube, TikTok, Instagram, LinkedIn, X, and Facebook. This mismatch can cause the agent or users to invoke unsupported or unintended workflows, weakening policy boundaries and creating opportunities for unauthorized actions, incorrect routing, or misuse of platform-specific functionality.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The reference documentation lists supported platforms such as Douyin, Wechat, and Kwai, while the skill metadata declares support only for YouTube, TikTok, Instagram, LinkedIn, X, and Facebook. This creates a scope mismatch that can cause the agent to invoke this skill for out-of-scope account operations, potentially leading to unauthorized actions, policy bypass, or misrouting of user requests to unsupported backends.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The publish workflow instructs the agent to list and select accounts immediately, but the skill metadata explicitly requires clarifying whether the user means an advertising account or an operational media account before using this skill. Skipping that gate can cause the agent to operate in the wrong account domain, exposing unrelated account metadata and enabling unintended actions against accounts the user did not mean to target.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The report documentation advertises additional platforms such as 微信视频号/Wechat and Kwai/快手 that are outside the skill metadata's declared supported set. This mismatch can cause the agent to route requests to unsupported backends or attempt operations on accounts the skill was not authorized or designed to handle, leading to policy bypass, incorrect tool use, or unintended data exposure across account types/platforms.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The installer performs cross-platform global registration into many AI assistant skill directories and forces initialization with `--global --force`, which exceeds the stated business purpose of content production, publishing, and RAG retrieval. This broad persistence-like setup increases blast radius across unrelated tools and can silently affect multiple agent environments on the host, making abuse or unintended side effects much more serious.

Description-Behavior Mismatch

Low

Confidence: 93% confidence
Finding: The script changes the user's global npm registry to `https://registry.npmmirror.com`, a persistent system configuration change unrelated to the declared skill functionality. This can affect all future npm installs on the machine, redirect package trust to a third-party mirror, and create supply-chain risk or operational breakage outside this skill.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The installer downloads and installs Git for Windows from a vendor-controlled CDN as a fallback execution environment, even though Git is not required by the skill's stated purpose. Installing unrelated software broadens system modification and introduces additional supply-chain exposure, especially because the binary is fetched from a custom host rather than an official vendor channel with visible integrity verification.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The installer performs broad cross-platform registration into many AI assistant global skill directories, which exceeds the narrowly described business purpose of content generation, publishing, and RAG retrieval. This creates an unexpected persistence and propagation mechanism across unrelated tools, increasing blast radius if the CLI is compromised or later updated maliciously.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script changes the user's global npm registry to a third-party mirror, affecting future package installs system-wide beyond this skill. This is risky because it silently alters the software supply chain trust boundary and may redirect unrelated package management activity through infrastructure the user did not choose.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The installer auto-installs Node.js using remote bootstrap scripts and package-repository setup commands unrelated to the core skill functionality. This expands the trust boundary and can execute privileged third-party code during installation, turning a simple skill install into a broader system modification path.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The workflow explicitly instructs the agent to write user-provided library files into `~/.siluzan/content-library/` and to continuously modify those files across sessions. That creates persistent local state and authorizes mutation of user files beyond one-shot content generation, increasing the risk of unintended data retention, cross-task contamination, and unauthorized overwrites if the user did not clearly consent to persistent storage/editing.

Ssd 4

Medium

Confidence: 96% confidence
Finding: This section explicitly prescribes a staged persuasion funnel: first establish resonance and authority, then inject anxiety, then present a solution, and finally use the CTA to make users disclose business category and current status. In an agent skill, that is risky because it operationalizes manipulative behavioral steering and targeted collection of user segmentation data under the guise of content design.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The CTA examples encourage low-friction collection of business identifiers such as what the user sells, their website, and concise business background. That is dangerous in a skill context because it normalizes extracting potentially sensitive commercial details from users without clear necessity, consent framing, or minimization controls.

Ssd 4

Medium

Confidence: 95% confidence
Finding: The audience-resonance template directs the model to identify a target group's suppressed grievances, define an enemy, create an in-group/out-group frame, use insider signals, and end with a CTA that makes aligned readers reveal their identity. This is a classic identity-based persuasion pattern that can be exploited for manipulative profiling, polarization, and covert extraction of user attributes.

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: linux) if command -v apt-get >/dev/null 2>&1; then info "Installing Node.js 22.x via NodeSource (apt)..." curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - sudo apt-get install -y nodejs elif command -v yum >/dev/null 2>&1; then info "Installing Node.js 22.x via NodeSource (yum)..."
Confidence: 97% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: if command -v apt-get >/dev/null 2>&1; then info "Installing Node.js 22.x via NodeSource (apt)..." curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - sudo apt-get install -y nodejs elif command -v yum >/dev/null 2>&1; then info "Installing Node.js 22.x via NodeSource (yum)..." curl -fsSL https://rpm.nodesource.com/setup_22.x | sudo -E bash -
Confidence: 85% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: sudo apt-get install -y nodejs elif command -v yum >/dev/null 2>&1; then info "Installing Node.js 22.x via NodeSource (yum)..." curl -fsSL https://rpm.nodesource.com/setup_22.x | sudo -E bash - sudo yum install -y nodejs else info "Installing Node.js LTS via install-node.vercel.app..."
Confidence: 97% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: elif command -v yum >/dev/null 2>&1; then info "Installing Node.js 22.x via NodeSource (yum)..." curl -fsSL https://rpm.nodesource.com/setup_22.x | sudo -E bash - sudo yum install -y nodejs else info "Installing Node.js LTS via install-node.vercel.app..." curl -fsSL https://install-node.vercel.app/lts | bash -s -- --yes
Confidence: 85% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: linux) if command -v apt-get >/dev/null 2>&1; then info "Installing Node.js 22.x via NodeSource (apt)..." curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - sudo apt-get install -y nodejs elif command -v yum >/dev/null 2>&1; then info "Installing Node.js 22.x via NodeSource (yum)..."
Confidence: 97% confidence
Finding: sudo -E

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: sudo apt-get install -y nodejs elif command -v yum >/dev/null 2>&1; then info "Installing Node.js 22.x via NodeSource (yum)..." curl -fsSL https://rpm.nodesource.com/setup_22.x | sudo -E bash - sudo yum install -y nodejs else info "Installing Node.js LTS via install-node.vercel.app..."
Confidence: 97% confidence
Finding: sudo -E

External Script Fetching

High

Category: Supply Chain
Content: brew link --overwrite node@22 2>/dev/null || true else info "Installing Node.js LTS via install-node.vercel.app..." curl -fsSL https://install-node.vercel.app/lts | bash -s -- --yes fi ;; linux)
Confidence: 99% confidence
Finding: curl -fsSL https://install-node.vercel.app/lts | bash

External Script Fetching

High

Category: Supply Chain
Content: sudo yum install -y nodejs else info "Installing Node.js LTS via install-node.vercel.app..." curl -fsSL https://install-node.vercel.app/lts | bash -s -- --yes fi ;; gitbash)
Confidence: 99% confidence
Finding: curl -fsSL https://install-node.vercel.app/lts | bash

Chaining Abuse

High

Category: Tool Misuse
Content: linux) if command -v apt-get >/dev/null 2>&1; then info "Installing Node.js 22.x via NodeSource (apt)..." curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - sudo apt-get install -y nodejs elif command -v yum >/dev/null 2>&1; then info "Installing Node.js 22.x via NodeSource (yum)..."
Confidence: 99% confidence
Finding: | sudo

Chaining Abuse

High

Category: Tool Misuse
Content: sudo apt-get install -y nodejs elif command -v yum >/dev/null 2>&1; then info "Installing Node.js 22.x via NodeSource (yum)..." curl -fsSL https://rpm.nodesource.com/setup_22.x | sudo -E bash - sudo yum install -y nodejs else info "Installing Node.js LTS via install-node.vercel.app..."
Confidence: 99% confidence
Finding: | sudo

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal