Zeelin Social Watch

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its GSData social-monitoring purpose, but it includes an undocumented raw API escape hatch and sends authenticated requests over plaintext HTTP by default.

Install only if you trust the publisher and intend to let an agent use your GSData account. Prefer setting an HTTPS GSDATA_BASE_URL if GSData supports it, use least-privilege keys, avoid the raw command unless you know the exact route, and review every --allow-write call because it can change warning rules, recipient emails, custom ranking groups, or tracked accounts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares environment-variable use and clearly instructs execution of a bundled Python script that reads files and makes network calls, but it does not declare permissions accordingly. This weakens platform governance and user/operator visibility into the skill's actual capabilities, increasing the chance of unintended secret access or external data exfiltration through the adapter.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose is a read-oriented social-watch/query skill, but the behavior includes arbitrary raw endpoint invocation plus multiple write and administrative actions such as modifying warning rules, groups, and tracked accounts. This materially expands the attack surface: a user or prompt-injected instruction could coerce the skill into mutating remote state or reaching unintended GSData APIs beyond the stated scope.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The adapter exposes write-capable warning-management actions such as create_rule, update_rule, open_rule, close_rule, and recipient email modification even though the skill is presented as a social monitoring/query tool. That scope mismatch is dangerous because an agent or user may reasonably trust this skill as read-only while it can mutate remote state, create alerts, or alter notification targets if allow_write is enabled.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The gsdata_raw path allows arbitrary caller-supplied router paths, bypassing the high-level tool restrictions and effectively turning the adapter into a generic signed proxy to the GSData backend. Even with the write-route heuristic, this broad capability enables access to endpoints outside the declared monitoring scope and may miss dangerous routes that do not match the suffix checks.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill is presented as a social monitoring/query capability, but this section exposes state-changing endpoints for custom ranking group and account management. That mismatch can cause an agent or user to invoke write operations they did not consent to, leading to unauthorized changes to persistent user data or account configuration.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The manifest does not disclose alert-rule administration, yet the tool map includes endpoints to create, update, enable/disable warning rules and modify recipient emails. Hidden notification-management functions are dangerous because they can silently alter monitoring scope or redirect alerts to unintended recipients, causing data leakage or operational disruption.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: This skill claims a social-watch purpose, but the mapped tools include broad NLP services and OCR that go beyond that narrow function. Overbroad capabilities increase the attack surface and may enable processing of arbitrary text or images unrelated to the stated task, which can expose sensitive data or be repurposed for unintended analysis workflows.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger list includes broad terms like '热点', '榜单', and '关键词检索', which are generic enough to activate the skill in conversations that do not intend to use GSData. Overbroad activation increases the chance that credentials are loaded and external queries are performed in the wrong context, especially in multi-skill agents susceptible to prompt steering.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The adapter sends user-supplied parameters and signed authentication material to an external GSData service, yet the skill description emphasizes monitoring functionality without clearly disclosing outbound transmission of potentially sensitive query terms or identifiers. In agent settings, lack of user-facing disclosure can cause inadvertent data exposure to third parties.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal