Security audit

tsy-gzh-find-topic

Security checks across malware telemetry and agentic risk

Overview

This is a narrow API wrapper that fetches topic recommendations, but users should understand that it sends an API key to the configured backend.

Install only if you trust the configured TSY_API_URL or the default api.tangshiye.cn service. Keep TSY_API_KEY private, be aware it is sent in the URL query string, and avoid using this skill in environments where request URLs are broadly logged or shared.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs sending the API credential as a query parameter (`apikey={SATOKEN}`) in the request URL. Secrets in URLs are commonly exposed via logs, proxies, browser/history tooling, monitoring systems, and error reports, making unintended credential disclosure more likely even when HTTPS is used. The skill context increases risk because it automatically sources the secret from `.env` and provides no warning or safer alternative.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal