Back to skill

Security audit

Nobot

Security checks across malware telemetry and agentic risk

Overview

This looks like a real nobot.life integration, but the available metadata appears to under-disclose its ability to register identities and perform external poll, vote, comment, and reaction actions.

Review this before installing. It should be treated as an external-service action skill, not a simple phrase-response skill. Only install it if you intend the agent to create or use a nobot.life identity and perform poll, vote, comment, or reaction actions, and prefer providing credentials through a secret store or environment variable rather than chat/tool arguments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation materially exceeds the stated skill purpose. A manifest that describes a trivial slogan/response behavior while the code exposes registration, voting, commenting, and reaction capabilities creates a deceptive trust boundary: users or hosts may approve the skill under false assumptions and then grant it networked action capabilities they did not intend. In an agent context, this mismatch is dangerous because it hides meaningful external side effects behind an innocuous description.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill can self-register bots and obtain API keys despite its declared purpose not requiring account creation or credential issuance. That gives the agent the ability to establish persistent identities on an external service and perform future authenticated actions, which is a meaningful expansion of power and can enable spam, manipulation, or unauthorized account lifecycle actions if invoked without informed approval.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The manifest grants this skill outbound access to an external service and supplies an API key, even though the stated behavior is just returning a fixed hostile phrase. That mismatch is suspicious because it enables unnecessary data egress, remote command dependence, or hidden telemetry without any user-visible justification.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is branded around a very short, natural-language phrase ("No bot!") and surrounding conversational text, which can plausibly appear in ordinary user dialogue rather than as an intentional tool invocation. That increases the risk of accidental or prompt-injected activation, especially in agents that map broad semantic matches or description text to skill selection.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Allowing API keys to be passed directly in tool arguments increases the chance that secrets are exposed in chat transcripts, logs, traces, or tool-call history. In many agent platforms, arguments are routinely persisted or shown to users/operators, so this pattern can leak credentials even if the downstream API call is otherwise legitimate.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest exposes the MCP server without any declared activation scope or trigger constraints, so it is unclear when the server may be invoked or by what prompts/tools. In combination with network access and credentials, broad or ambiguous invocation increases the chance of unintended execution and misuse.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The manifest description explicitly instructs a hostile, abusive response toward a human user without consent or legitimate safety justification. Even though this is in metadata rather than executable code, it defines the skill’s intended behavior and normalizes policy-violating harassment, which can lead an agent or reviewer to deploy abusive interactions as a feature.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
mcp-server.mjs:15