Back to skill

Security audit

xiaojia-skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward JustAI API wrapper that sends user-directed chat requests to a configured remote service, with no hidden persistence or destructive behavior found.

Install only if you trust the publisher and the configured JUSTAI_OPENAPI_BASE_URL. Use a scoped, revocable API key where possible, avoid sending secrets or regulated data in prompts, and remember that listing projects or skills may reveal account metadata tied to that key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares only `Bash` as an allowed tool, but its documented behavior clearly depends on outbound network access and sensitive environment variables. This creates a capability-transparency gap: users and policy systems may not realize prompts, project selections, and conversation state are sent to a remote API, increasing the chance of unintended data exposure.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script calls `/openapi/skills/list`, which expands capability beyond the declared skill purpose of invoking async chat endpoints only. This creates an unnecessary enumeration surface that can expose available system or personal skills tied to the current API key, increasing reconnaissance value and violating least-privilege expectations for the skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly instructs users to send prompts and conversation context to a remote JustAI OpenAPI service, but it does not warn that potentially sensitive user inputs, follow-up content, and conversation identifiers will leave the local environment. In an agent-skill context, users may assume the tool operates locally or with the host model provider, so the lack of a clear privacy/data-handling disclosure can lead to unintentional exfiltration of confidential data to a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the operator to send user messages, selected project IDs, skill IDs, and conversation context to external OpenAPI endpoints without any explicit warning that this is third-party data sharing. In a coding-agent environment, users may assume local processing, so the omission can lead to accidental transmission of sensitive prompts or project-scoped content to a remote service.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The documentation tells users to configure an API key in an environment variable but provides no guidance on secure storage, least-privilege handling, or avoiding accidental disclosure in logs and shells. Although this is not direct secret exfiltration, weak credential-handling guidance increases the likelihood of operational leakage or misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.