ITjuzi

Security checks across malware telemetry and agentic risk

Overview

This skill coherently queries IT桔子 bulletin data, but users should understand it can store and use an IT桔子 token locally.

Install only if you are comfortable giving this skill an IT桔子 Skill Token. Prefer using the ITJUZI_SKILL_TOKEN environment variable for temporary use, avoid running --show-token in shared logs, and remove the saved token when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill invokes shell scripts but does not declare permissions, which weakens transparency and security review. Hidden shell capability increases risk because operators and users may not realize the skill can execute local commands, read local state, and interact with the filesystem or network indirectly through the script.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The published description frames the skill as a simple bulletin query tool, but the documented behavior also persists tokens to disk, removes them, reveals token status/prefix, and reads credentials from environment variables or local files. That mismatch is security-relevant because users may disclose credentials or authorize execution without understanding the skill's broader access to local secrets and persistent auth state.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill includes credential lifecycle operations (set, remove, show) that exceed its stated purpose of querying a bulletin feed. In an agent setting, these extra capabilities increase attack surface by allowing secrets to be persisted and later exposed or manipulated through tool invocation paths unrelated to normal query functionality.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The --show-token command discloses the first 20 characters of the bearer token and reveals its storage source. Partial secret disclosure is still sensitive because prefixes can aid token identification, correlation, phishing, debugging leaks, or reduce the search space for brute-force or log-based recovery, and the command is unjustified for a read-only bulletin skill.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill tells users to save a provided token and states it will remain effective permanently, but gives no warning about persistence, local storage location, access controls, or revocation implications. This can lead users to unknowingly leave long-lived credentials on disk, increasing the chance of credential theft from a shared machine, backup exposure, or later compromise of the local account.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script persists the API token to disk under the user's home directory without any warning, consent prompt, or clear disclosure. In agent or shared-environment contexts, silent persistence can leave long-lived credentials behind where they may be unintentionally backed up, inspected, or reused beyond the user's expectation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal