Security audit

墓志铭 Epitaph

Security checks across malware telemetry and agentic risk

Overview

This skill has a real social-media summary purpose, but it can deeply inspect logged-in accounts and auto-fetch a browser automation dependency without enough clear scoping or consent.

Install only if you are comfortable letting an agent inspect logged-in social accounts, including saves, likes, favorites, follows, comments, ratings, and posts. Approve any ManoBrowser setup manually, prefer a separate browser profile, scan only platforms you intentionally choose, review the raw output before sharing, and delete epitaph-data/ afterward if you do not want the collected history retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (53)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares no permissions while instructing the agent to use shell-capable behaviors such as git, curl, unzip, and local file operations. This creates hidden execution scope and weakens user and platform expectations about what the skill is allowed to do, increasing the chance of unauthorized code retrieval or local system modification.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The stated purpose is generating a social-media summary, but the documented behavior also inspects local configuration, probes MCP/browser connectivity, and performs dependency installation and remote retrieval. That mismatch is dangerous because users may consent to content summarization without realizing the skill can inspect environment state and modify the local setup.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The README claims the skill avoids sensitive privacy analysis, yet the described behavior includes mining hidden saves, unfinished lists, behavioral patterns, and inferred obsessions across accounts. That mismatch can mislead users about the scope of profiling and consent, causing them to expose far more personal data than they reasonably expect.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: Saying data is never uploaded while also stating that dependencies and collection modules are automatically downloaded creates a misleading privacy guarantee. Even if user content is not uploaded, automatic network retrieval expands the trust boundary, may expose metadata, and introduces supply-chain risk during first use.

Description-Behavior Mismatch

Medium

Confidence: 78% confidence
Finding: The skill is presented as scanning social media accounts, but examples and outputs imply broader digital-life profiling such as books, tutorials, and wishlists. This scope expansion can defeat user expectations and consent boundaries, especially when users authorize access assuming a narrower set of sources.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill claims it only scans the user's own social accounts, yet it also directs automatic cloning/downloading and local unpacking of a dependency from GitHub. Hidden installation behavior expands the trust boundary from data analysis to arbitrary code supply-chain risk and unexpected local changes.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: Automatically retrieving and installing external code is not essential to the skill's core promise and introduces supply-chain and code-execution risk. A compromised repository, MITM on download paths, or unintended version changes could lead to execution of untrusted code on the host environment.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill instructs the agent to inspect local configuration files and available tooling to determine MCP/browser setup. Even if intended for diagnostics, this broadens access into environment metadata unrelated to the user's requested summary and may expose sensitive connection details or inventory information.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The skill reassures users that it only reads public homepage information, but later instructions explicitly target favorites, likes, and saved items that can reveal private preferences. This deceptive privacy framing undermines informed consent and can cause users to expose more intimate behavioral data than they intended.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The privacy section says the skill avoids sensitive private information, yet the analysis framework explicitly infers hidden obsessions and secret preferences from behavioral traces. Even without traditional PII, these inferences can expose intimate interests and personality traits that many users would consider sensitive.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill collects full favorites and follow-graph data, which are significantly more sensitive and revealing than needed for a poetic summary. This over-collection increases privacy risk by exposing behavioral interests, relationships, and potentially sensitive affinities beyond the user’s reasonable expectations for the stated purpose.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill's collection summary understates the sensitivity of the actual data gathered. In addition to basic profile and media lists, it extracts comments, tags, ratings, and statuses, which are rich behavioral signals that can reveal preferences, beliefs, and habits and materially increase privacy risk.

Context-Inappropriate Capability

Low

Confidence: 72% confidence
Finding: The guidance to pace requests and avoid triggering rate limits is effectively an anti-detection crawling tactic. While not inherently malicious, it enables larger-scale extraction of authenticated personal data than is necessary for a simple summary task and increases abuse potential.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The skill is narrowly focused on deep Douyin scraping while the parent skill promises a broader digital-epitaph function. This scope mismatch is dangerous because it can cause the agent to invoke a highly invasive collector in contexts where the user did not clearly consent to platform-specific extraction of private behavioral data.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Collecting complete likes, favorites, and followed-account data goes beyond what is necessary for a summary or epitaph feature and violates data-minimization principles. These datasets expose sensitive preferences, relationships, and inferred interests, making the skill materially more invasive than its apparent purpose suggests.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The script’s behavior materially exceeds and diverges from the stated purpose of generating a social-media-based 'digital epitaph'. Instead of a narrowly scoped summarization helper, it configures and probes a browser-extension MCP endpoint, creating an undeclared browser access channel that could enable collection of arbitrary web/session data beyond user expectations.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The installation and configuration guidance introduces a browser-extension/MCP capability that is not justified by the advertised epitaph-generation function. In this context, undeclared browser instrumentation is risky because it can expand access to browsing context, authenticated sessions, and page content, making the skill more dangerous than users would reasonably infer.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill explicitly expands from profile/homepage collection into the currently logged-in user's favorites, which are typically more sensitive than public profile data and can reveal private interests, beliefs, or intent. This is dangerous because the collection scope is broader than a user would reasonably infer from 'personal homepage' scraping and it targets authenticated private data.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Collecting saved/favorited posts is more privacy-invasive than necessary for a 'digital epitaph' summary because it captures behavior the user may not expect to be surfaced or analyzed. Even if not exfiltrated externally, over-collection of sensitive behavioral data increases privacy risk and can expose intimate preferences or confidential interests.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The skill's actual behavior materially exceeds the parent skill's summarization purpose by harvesting a full Xiaohongshu data export: profile text, post details, favorites, and likes. That over-collection increases privacy risk and creates an opportunity to repurpose highly sensitive behavioral data beyond what a user would reasonably expect from a 'Digital Epitaph' summary.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Collecting complete favorites and likes history is especially intrusive because it reveals inferred interests, habits, and potentially sensitive topics the user did not publicly post. In context, the skill is not merely summarizing public profile content; it reaches into authenticated, behaviorally revealing data that can expose 'secretly saved' content at scale.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README markets extensive cross-account scanning and behavioral summarization without a strong upfront warning that highly sensitive personal data will be collected and inferred. Users may consent casually to what sounds like a fun summary, not realizing the tool may inspect likes, saves, unfinished goals, and latent interests across platforms.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The collection instructions cover private engagement data such as likes, favorites, follows, and saved items without an upfront, prominent warning. Because these data types can reveal intimate interests and patterns, collecting them without clear notice and consent creates a meaningful privacy and profiling risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill includes automatic download and local file creation behavior without asking the user first. Unannounced network retrieval and filesystem writes are dangerous because they can alter the environment, introduce untrusted code, and exceed the scope a user likely expected from a content-analysis tool.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill describes broad collection of the logged-in user's personal data but does not warn about privacy implications or disclose user impact. In a browser-authenticated context, silent access to account data can surprise users and lead to inappropriate handling of sensitive profile, favorites, and social-graph information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal