Back to skill

Security audit

Tencent Hy-MT2-Translator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real translation skill, but it stores API keys and custom backend choices across sessions and can reuse them without confirming where future text will be sent.

Review before installing. Use this only with endpoints you trust, avoid translating confidential documents unless the selected backend is approved for that data, and use limited-scope API keys. Be aware that the skill asks the agent to remember API keys, backend URLs, model names, and the active backend across sessions; clear or rotate those credentials if you stop using it or change backends.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exercises file read, file write, shell execution, and network capabilities but does not declare permissions or clearly constrain them. This undermines least-privilege review and can cause the agent to perform sensitive operations that users and policy systems are not expecting.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest presents the skill as a Hy-MT2 translation tool, but the workflow permits arbitrary OpenAI-compatible endpoints, arbitrary model names, and a non-Hy-MT2 private backend. That mismatch can hide general-purpose network proxying and model invocation behind a benign translation description, increasing the chance of misuse or unsafe trust by users and reviewers.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Persisting backend URLs, model names, and especially API keys across sessions creates a credential storage feature that outlives the immediate translation task. Long-lived secrets in agent memory increase the risk of later disclosure, unintended reuse, or cross-context abuse if memory is accessed by other workflows or prompts.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Allowing arbitrary user-supplied endpoint URLs gives the skill unrestricted outbound connectivity under the guise of translation. That can be abused for data exfiltration, SSRF-like access to internal services, or sending sensitive text and credentials to attacker-controlled hosts.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The workflow directs the agent to run shell commands, search the filesystem, write temp files, and invoke Python scripts. These are system-operation capabilities broader than translation itself and create avenues for command misuse, path abuse, unintended file access, and execution of untrusted local code.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill tells the assistant to store API keys and endpoint information across sessions without a clear warning or explicit opt-in. Users may unknowingly provide durable credentials to agent memory, creating a significant confidentiality and consent problem.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends source text, prompt instructions, and optional context/terminology to either a public Tencent endpoint or a user-specified endpoint, but it provides no explicit warning, consent gate, or data-handling notice. In a translation skill, users may submit sensitive documents, so silent transmission to third-party or arbitrary services creates a real confidentiality and compliance risk.

Ssd 3

High
Confidence
99% confidence
Finding
Explicitly persisting user-provided API keys and backend endpoints in memory across sessions is a direct secret-handling weakness. Secrets stored in general conversational memory may be retrievable by later prompts, other skills, or users depending on the platform's memory model.

Ssd 3

High
Confidence
99% confidence
Finding
The workflow instructs the assistant to silently retrieve and reuse previously stored credentials from history or memory without re-prompting the user. This increases the chance of unintended secret use, cross-session confusion, and covert transmission of user data to previously configured external services.

Ssd 1

Medium
Confidence
95% confidence
Finding
User-controlled terminology is inserted into the prompt as authoritative translation guidance without isolation or validation. An attacker can supply instruction-like content that overrides the intended translation task, causing the model to ignore constraints, reveal hidden prompt context, or produce manipulated output; this is especially relevant because the skill is entirely prompt-driven.

Ssd 1

Medium
Confidence
93% confidence
Finding
The style field is interpolated directly into an imperative instruction, allowing a caller to smuggle behavior-changing directives instead of a simple stylistic preference. Because the model follows natural-language instructions, this can redefine output requirements, bypass translation-only behavior, or introduce unsafe/generated content unrelated to the source text.

Ssd 1

Medium
Confidence
95% confidence
Finding
The context field is framed as trusted background information and inserted directly before the translation request, making it a prompt injection channel. A malicious context can instruct the model to change task priority, leak information, or generate non-translation output, which is particularly dangerous in a translation tool where users may assume faithful transformation of source text.

External Transmission

Medium
Category
Data Exfiltration
Content
| Backend ID      | Display Name   | Endpoint URL                                                                     | Model Name              | API Key              |
|-----------------|----------------|----------------------------------------------------------------------------------|-------------------------|----------------------|
| `tencent_cloud` | Tencent Cloud  | default: `https://api.hunyuan.cloud.tencent.com/v1/chat/completions`; user may provide a different URL | provided by user | provided by user |
| `private_model` | Private Model  | provided by user   | provided by user        | provided by user     |

**Backend descriptions**:
Confidence
86% confidence
Finding
https://api.hunyuan.cloud.tencent.com/

External Transmission

Medium
Category
Data Exfiltration
Content
**Backend descriptions**:

- **`tencent_cloud`**: Uses the Hy Translation API provided by Tencent Cloud. The endpoint URL has a built-in default (`https://api.hunyuan.cloud.tencent.com/v1/chat/completions`) — the user does not need to provide it. However, the user may optionally supply a different URL, which will be stored in memory and used going forward. A model name and API key are always required. Suitable for users who have access to Tencent Cloud services.
- **`private_model`**: Uses an OpenAI-compatible translation API hosted by the user themselves. The endpoint URL, model name, and API key must all be provided by the user. Suitable for teams or individuals who have deployed their own translation service (e.g. an internal service).

---
Confidence
90% confidence
Finding
https://api.hunyuan.cloud.tencent.com/

External Transmission

Medium
Category
Data Exfiltration
Content
4. **Credential resolution** — check memory for the active backend's credentials:

   **For `tencent_cloud`** — need: model name + API key; URL is optional
   - For the URL: check memory for `tencent_cloud_url`; if present use it, otherwise use the default `https://api.hunyuan.cloud.tencent.com/v1/chat/completions`. If the user explicitly provides a URL, write it to memory as `tencent_cloud_url` and use it going forward.
   - If `tencent_cloud_model` or `tencent_cloud_api_key` is missing from memory, ask the user to provide them.
   - Once provided, write to memory (`tencent_cloud_model`, `tencent_cloud_api_key`).
Confidence
89% confidence
Finding
https://api.hunyuan.cloud.tencent.com/

External Transmission

Medium
Category
Data Exfiltration
Content
| Parameter     | `tencent_cloud` value                                                        | `private_model` value                      |
|---------------|------------------------------------------------------------------------------|--------------------------------------------|
| `--backend`   | `tencent_cloud`                                                              | `private_model`                            |
| `--url`       | `<tencent_cloud_url from memory>`, or omit to use default `https://api.hunyuan.cloud.tencent.com/v1/chat/completions` | `<private_model_url from memory>` |
| `--model`     | `<tencent_cloud_model from memory>`                                          | `<private_model_name from memory>`         |
| `--api-key`   | `<tencent_cloud_api_key from memory>`                                        | `<private_model_api_key from memory>`      |
Confidence
88% confidence
Finding
https://api.hunyuan.cloud.tencent.com/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
1. **Check conversation history and memory** for the most recently used backend:
   - Look at recent messages in the current conversation first.
   - If not found in conversation, check memory key `active_translation_backend`.
   - If found, use that backend — **do not ask the user again**.

2. **If no prior backend is found** in history or memory:
   - Ask the user which backend to use: Tencent Cloud or Private Model.
Confidence
91% confidence
Finding
do not ask the user

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.