pancake-skills

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate Pancake API helper, but it has unsafe scripting and write-confirmation gaps around high-impact account and messaging actions.

Install only after reviewing or patching the scripts. Fix url_encode to pass values as Python argv, require CONFIRM_WRITE=YES for token generation and chat-plugin sends, avoid exposing tokens in logs or chat history, and use this skill only in trusted sessions where Pancake customer data, staff assignments, messaging, uploads, exports, and token management are intended.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (42)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill invokes shell scripts and external network APIs but does not declare permissions or capabilities in its manifest. This weakens review and enforcement boundaries, making it easier for a caller to trigger networked and shell-backed actions without clear disclosure of the trust and execution model.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented behavior exceeds the stated purpose by including SIP call-log retrieval and full data export, both of which can expose sensitive communications and bulk customer data. Scope mismatch is dangerous because users and policy systems may authorize the skill for routine messaging tasks while unknowingly enabling broader surveillance or exfiltration functionality.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: Including SIP call-log access and export-data functionality broadens the data-access surface beyond the advertised use cases. These operations can reveal sensitive metadata or enable bulk extraction, so burying them in documentation increases the chance of over-privileged use and insufficient user awareness.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The OpenAPI spec exposes materially broader capabilities than the skill metadata suggests, including export of ad-originated conversations and SIP call-log retrieval. That scope mismatch can mislead reviewers, orchestrators, or users into granting the skill access to sensitive data flows they did not reasonably expect.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The top-level description says the API is for retrieving page data, generating tokens, and listing conversations, but the file actually includes extensive write operations and administrative actions such as assigning staff, updating customers, uploading media, and sending messages. This understatement increases the risk of over-trusting the skill and approving broader authority than intended.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The script advertises and implements call-log retrieval and conversation export functionality that are not reflected in the stated skill description. Hidden or under-declared capabilities are dangerous because an agent or reviewer may authorize the skill for routine page/message management without realizing it can access broader sensitive datasets such as SIP logs and exported conversation data.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This block exposes SIP call log retrieval even though that capability is not declared in the skill metadata. Call logs can contain sensitive operational and personal data, so undisclosed access materially increases risk by bypassing informed consent and least-privilege expectations.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script supports exporting ad-related conversations without this being described in the skill manifest. Export features are especially risky because they enable bulk extraction of user communications, which increases privacy, compliance, and exfiltration concerns beyond normal interactive message handling.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The upload helper performs a state-changing network operation with a page token but does not enforce the script's own write-safety control via confirm_write. In this skill context, which manages pages, messages, posts, and media, that omission makes unintended or automated uploads easier and increases the chance of unauthorized content changes if the helper is invoked by mistake or by a higher-level workflow without adequate guarding.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The chat-plugin send command performs a state-changing network POST using arbitrary stdin JSON but does not invoke confirm_write or any comparable safeguard. In an agent setting, this makes unintended outbound messaging more likely, which can lead to spam, impersonation, data leakage, or unauthorized customer contact.

Credential Access

High

Category: Privilege Escalation
Content: ### User API (`https://pages.fm/api/v1`) - `GET /pages` - Liệt kê pages - `POST /pages/{page_id}/generate_page_access_token` - Tạo page access token ### Page API v2 (`https://pages.fm/api/public_api/v2`) - `GET /pages/{page_id}/conversations` - Liệt kê conversations
Confidence: 72% confidence
Finding: access token

Credential Access

High

Category: Privilege Escalation
Content: title: Pancake API Library version: 1.0.0 description: > API for retrieving page data, generating access tokens, and listing conversations on Pancake platform. contact: name: Pancake Support url: 'https://www.pancake.biz/contact'
Confidence: 96% confidence
Finding: access tokens

Credential Access

High

Category: Privilege Escalation
Content: required: true schema: type: string description: Pancake user access token for authentication. responses: '200': description: Successful response
Confidence: 95% confidence
Finding: access token

Credential Access

High

Category: Privilege Escalation
Content: tags: - Pages summary: Generate page_access_token description: "Generate or refresh page_access_token by the admin's access_token of page. Page Access Token used to authenticate public APIs on behalf of a Page. The page's admin can retrieve this token from the Pancake interface by going to: Page's settings → Tools. This token does not expire unless it is manually deleted or renewed. An API key is a token that you provide when making API calls. Include the token in a query parameter called page_access_token." security: - UserAccessToken: [] parameters:
Confidence: 98% confidence
Finding: Access Token

Credential Access

High

Category: Privilege Escalation
Content: required: true schema: type: string description: Pancake user access token with admin rights to the page. responses: '200': description: Token generated successfully
Confidence: 95% confidence
Finding: access token

Credential Access

High

Category: Privilege Escalation
Content: required: true schema: type: string description: Access token of the page for authentication. - name: page_id in: path required: true
Confidence: 93% confidence
Finding: Access token

Credential Access

High

Category: Privilege Escalation
Content: required: true schema: type: string description: Access token of the page used for authentication. requestBody: required: true content:
Confidence: 93% confidence
Finding: Access token

Credential Access

High

Category: Privilege Escalation
Content: required: true schema: type: string description: Access token of the page used for authentication. requestBody: required: true content:
Confidence: 93% confidence
Finding: Access token

Credential Access

High

Category: Privilege Escalation
Content: required: true schema: type: string description: Page access token responses: '200': description: Success response
Confidence: 92% confidence
Finding: access token

Credential Access

High

Category: Privilege Escalation
Content: required: true schema: type: string description: Page access token responses: '200': description: Success response
Confidence: 92% confidence
Finding: access token

Credential Access

High

Category: Privilege Escalation
Content: required: true schema: type: string description: Page access token - name: conversation_id in: path required: true
Confidence: 93% confidence
Finding: access token

Credential Access

High

Category: Privilege Escalation
Content: required: true schema: type: string description: Page access token (generate in tool settings) requestBody: required: true content:
Confidence: 94% confidence
Finding: access token

Credential Access

High

Category: Privilege Escalation
Content: required: true schema: type: string description: Page access token (requires permission to view ad reports). - name: since in: query required: true
Confidence: 91% confidence
Finding: access token

Credential Access

High

Category: Privilege Escalation
Content: required: true schema: type: string description: Page access token - name: since in: query required: true
Confidence: 91% confidence
Finding: access token

Credential Access

High

Category: Privilege Escalation
Content: required: true schema: type: string description: Page access token (requires permission to view reports). - name: date_range in: query required: true
Confidence: 90% confidence
Finding: access token

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal