Security audit

Mimic

Security checks across malware telemetry and agentic risk

Overview

Mimic has a coherent roleplay purpose, but it gives the agent broad permission to collect and persist data about real people while handling a browser-tool API key with limited consent and scoping safeguards.

Install only if you are comfortable with a browser-control dependency and persistent persona files. Do not use it to profile private people or process chat logs unless everyone involved has clearly consented. Review ManoBrowser separately, avoid exposing API keys in prompts or shell history, approve each collection step, and delete generated raw data when it is no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs the agent to read an endpoint and API key from TOOLS.md and use them to authenticate to an external service. Even if intended for required functionality, this expands the skill's privileges beyond simple local character generation and creates a credential-handling and outbound-communication path that could be abused if the endpoint is misconfigured, malicious, or broader than expected.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The document reassures users that no social-account login is needed, but later requires retrieving and using an API key to access ManoBrowser. This is a misleading trust signal: while not the same as a social login, it still involves credential use and external authenticated access, which can cause users and operators to underestimate the security implications.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README explicitly supports creating personas for 'people around you' using user-provided chat logs, but it does not warn about third-party consent, privacy, or legality. This can facilitate non-consensual profiling and realistic impersonation of private individuals, increasing risks of privacy invasion, social engineering, and reputational harm.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger framing around 'say/give a name' is overly broad and can cause the skill to activate during ordinary conversation where a person name is mentioned incidentally. In context, activation can lead to data collection, browser access, and persona generation, so ambiguous invocation materially increases the chance of unintended sensitive actions.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Repeatedly stating that the user only needs to provide a name reinforces an activation condition that lacks clear boundaries, consent checks, or purpose validation. Because the skill is designed to collect real public data and infer personality traits, this ambiguity raises the risk of unauthorized profiling or unintended processing of real individuals.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The skill instructs the agent to proactively message the user on first load without opt-in, which violates the principle of user-driven activation and can unexpectedly steer the conversation into a data-collection workflow. The mandated Chinese-language introduction also imposes a locale choice that may confuse users about what actions are being proposed or requested.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal