Back to skill

Security audit

Aicwos

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local copywriting and knowledge-base tool, but it needs Review because it can persistently write, delete, import/export, and remotely sync local data with loose scoping.

Install only if you want a persistent local copywriting database and are comfortable with the agent creating, updating, deleting, importing, exporting, and syncing files in a dedicated control folder. Use a separate low-risk directory, review any cloud sync URL carefully, avoid untrusted names or imported lecturer folders, and back up important knowledge files before using delete or revision workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares itself as a mandatory copywriting pipeline but documents capabilities to read and write arbitrary workspace files and perform network synchronization, while no explicit permissions boundary is declared. That creates a trust gap: an agent may invoke file and network operations users did not meaningfully consent to, increasing the risk of data exfiltration, destructive writes, or unexpected remote access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior substantially exceeds the stated purpose: beyond copywriting support, it initializes databases, manages filesystem structure, downloads models, syncs from remote cloud locations, imports/exports data, and mutates global rules. This mismatch can mislead users and higher-level agents into authorizing a much more privileged tool than expected, which is dangerous because the extra behaviors include persistence, deletion, and network retrieval.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest frames the skill as a copywriting and knowledge pipeline, but the instructions also include cloud sync and cross-user import/export operations. Those capabilities expand the attack surface to remote data ingestion and data movement between environments, which is more sensitive than ordinary content generation and may surprise users or supervising systems.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document states that agents cannot write files directly, but then instructs them to use native file-writing tools to create staging files such as `_staging.txt` and `_profile_staging.json`. This inconsistency weakens the safety boundary around write operations and can enable arbitrary file creation or path-manipulation if an agent follows the more permissive instruction, especially in a skill that handles persistent data and shell commands.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The CLI exposes generic filesystem enumeration via `--type fs` and accepts an arbitrary `--data-dir`, allowing callers to browse directory trees beyond the copywriting, lecturer, and knowledge-base functions described in the skill metadata. In an agent setting, this broadens the tool from domain-specific data access into general local file discovery, which can reveal sensitive filenames, project structure, or nearby datasets that were never intended to be exposed.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The CLI includes behavior-rule administration (`list/add/remove/update`) even though the skill is presented as a data pipeline for copywriting, lecturer profiles, series progress, and knowledge retrieval. Allowing callers to modify behavior rules creates a policy-manipulation surface: an attacker or prompt-injected workflow could weaken safeguards, alter downstream generation constraints, or persist malicious rule changes that affect future outputs.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script accepts a remotely configured base_url from workspace.json, downloads a manifest and arbitrary listed files, and writes or renames files under the local knowledge base without any trust validation, integrity checking, allowlisting, or operator confirmation. In this skill context, that is more dangerous because the skill is presented as mandatory infrastructure for copywriting and knowledge retrieval, so invoking it can silently change the data corpus the agent relies on and let a remote source poison outputs or disrupt local knowledge availability.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script explicitly supports write-through persistence of raw input text to both SQLite and the filesystem via --save-sample. In this skill context, the inputs are likely lecturer scripts, copywriting drafts, or knowledge-base content, which may contain proprietary, personal, or otherwise sensitive data; storing them by default-capable workflow increases data retention and disclosure risk beyond a pure analyzer's expected behavior.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.