Back to skill

Security audit

Marketing Site Dev

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Volcengine deployment skill, but it needs review because it uses powerful cloud keys and can change DNS/CDN/storage while bypassing proxy settings.

Install only if you intentionally want a Volcengine/mainland-China deployment. Use least-privilege or temporary Volcengine credentials, ensure .env is ignored and never shared, review the DNS/CDN/TOS scripts before running them, back up existing DNS records and bucket contents, and confirm that bypassing local proxy settings is acceptable in your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The code explicitly deletes HTTP(S)_PROXY environment variables process-wide immediately before performing an authenticated API request, despite the comment claiming it honors local proxy preferences. In a deployment skill that operates on cloud infrastructure, this can bypass enterprise egress controls, logging, DLP, and security inspection that rely on proxies, and it can also change network behavior for subsequent code in the same process.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This library function changes global process state by deleting proxy-related environment variables, which affects not only this request but any later network operations in the same Node process. In an end-to-end deployment workflow with cloud credentials, that broad side effect is unjustified for a minimal API client and can silently weaken organizational network controls and observability.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger criteria are extremely broad and explicitly prefer this skill over generic web-dev guidance for many common requests, including generic company/product marketing site work. In an agentic environment, this can cause misrouting to a heavyweight deployment workflow that collects credentials, domains, and infrastructure details even when a simpler or safer path would fit better, increasing the chance of unnecessary privileged operations or unsafe automation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file instructs users to store long-lived Volcengine access keys in a local `.env` file and then use them for broad deployment operations, but it does not include any warning about secret handling, accidental commit risk, shell/history exposure, workstation compromise, or preference for short-lived credentials. In this context, the keys grant high-value cloud control-plane access (`TOSFullAccess`, `CDNFullAccess`, `DNSFullAccess`, `CertificateFullAccess`), so leakage could let an attacker modify site content, DNS, certificates, and CDN behavior.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
assets/scripts/cdn-setup.mjs:28

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
assets/scripts/deploy.mjs:41

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
assets/scripts/lib/volc-api.mjs:21