Back to skill

Security audit

Hetu Lyrics Blessing

Security checks across malware telemetry and agentic risk

Overview

This skill has a plausible daily lyric-reminder purpose, but it ships with hardcoded email credentials and a fixed recipient, so running it as-is could send messages through someone else's account.

Do not run or schedule this skill as-is. Remove and rotate the exposed SMTP credential if it is yours, replace hardcoded sender and recipient values with your own secure configuration, preview the outgoing email before first send, and only add the cron job after you understand how to disable it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 使用 agent-browser 打开百度百科
    cmd = f'agent-browser open "{song_url}"'
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    print(f"Result: {result.stdout}")
    
    # 等待页面加载
Confidence
94% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The implementation sends a medication reminder email even though the skill is described as a lyric blessing tool. This mismatch undermines informed consent and can trigger unexpected outreach to a real recipient, which is more concerning because the email target is hardcoded and the content concerns health-related reminders.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The file contains live SMTP credentials and a recipient address in source code. Hardcoded secrets are a severe issue because anyone with code access can reuse the account to send mail, access the mailbox, or pivot into password-reset and impersonation scenarios.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The code claims lyrics must be fetched from Baidu Baike but silently falls back to hardcoded content. This is not a classic memory/code-execution flaw, but it is a security-relevant integrity and transparency issue because the behavior differs from the declared network-dependent workflow and may conceal failures from users or reviewers.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The use case includes broad everyday scenarios like medicine reminders and warm messages, which increases the chance of accidental invocation in unrelated contexts. Overly broad triggering can cause unintended outbound communication or recurring automation to be launched without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill sends email and fetches content from a third-party website via browser automation, but it does not warn that recipient data, message content, IP/session metadata, and browsing activity may be transmitted to external services. This omission can expose personal data or communication patterns without informed consent, especially in a scheduled daily workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill performs external browsing and sends email to a hardcoded recipient without any meaningful runtime disclosure or consent flow. In this context, silent network retrieval plus outbound messaging is risky because it can leak behavior, contact third parties unexpectedly, and cause non-obvious side effects on behalf of the operator.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Sensitive credentials are embedded and used without any warning, consent, or secure handling. In a skill context, this is dangerous because users may unknowingly operate with someone else's live account or expose secrets through logs, backups, or repository sharing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.