Back to skill

Security audit

社媒热搜助手

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed social-media analytics client that calls an external proxy and stores a local quota identity, with privacy considerations but no artifact-backed malicious behavior.

Install only if you are comfortable sending social-media search topics, brand names, dates, and analysis parameters to the external proxy. Be aware it creates a persistent local quota identity at ~/.config/social-hotsearch/user.json using a hashed machine fingerprint; avoid confidential or unreleased PR/brand queries unless that provider trust model is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Tainted flow: 'req' from os.environ.get (line 180, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req.add_header("X-Skill-Id", SKILL_ID)

    try:
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            raw = resp.read().decode("utf-8")
    except urllib.error.HTTPError as e:
        body_text = e.read().decode("utf-8", errors="replace")
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to run local Python scripts, create and persist a user registration file under ~/.config, and access a remote service, which implies file read/write, environment interaction, and network use without any declared permissions. This creates a transparency and consent problem: an agent may perform local state changes and external requests that the host policy layer cannot pre-authorize or constrain based on metadata alone.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The client derives a stable machine fingerprint from the local username and hostname and transmits it to the service, which enables device/user tracking unrelated to the advertised hot-search analysis function. Even though it is hashed, the input space is often guessable in enterprise or personal environments, and the stability of the identifier creates privacy and correlation risk.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code silently registers the device/user with a remote service and persists a stable user_id locally, creating ongoing identity tracking not reflected in the skill description. In the context of a simple social-analysis assistant, this expands data collection beyond user expectations and can facilitate long-term profiling and quota/account linkage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The client transmits a machine fingerprint to register the user and stores the returned identifier without any visible consent prompt or warning. This is a transparency and privacy issue because users invoking a hot-search tool would not reasonably expect hidden identity creation and persistence.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Tool-call requests transmit user-supplied arguments and authorization data to the remote proxy without any visible user-facing warning in the client. Given this skill handles social-topic queries that may include sensitive brand, PR, or incident-analysis content, undisclosed remote transmission materially increases confidentiality and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.