Back to skill

Security audit

China Localization

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it asks users to configure broad workspace, messaging, maps, and payment credentials without enough scoping or data-flow explanation.

Review before installing. Use only the localization and search pieces unless you have verified the code paths for each integration. Do not add Feishu, WeChat, DingTalk, AMap, or Alipay credentials, especially payment private keys, until the skill documents exact permissions, data sharing, and user approval boundaries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The Alipay configuration uses `process.env.ALIPAY_SANDBOX === 'true' || true`, which always evaluates to `true` and forces sandbox mode regardless of the environment variable. This creates a security-relevant configuration flaw because operators may believe production payments are enabled when the code silently routes all operations to the sandbox, undermining deployment intent and potentially causing failed or misdirected payment handling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises integrations with Feishu, WeChat, DingTalk, AMap, and Alipay, including message push and local services, but does not clearly warn users that their queries, messages, calendar/task data, location, or payment-related data may be transmitted to external platforms. In a localization/integration skill, this omission is security-relevant because users may unknowingly expose sensitive personal or organizational data to multiple third parties.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The search method forwards raw user queries to external services such as Baidu or Tavily, but there is no user-facing consent, warning, or data-minimization step in this code path. In a skill context, users may enter sensitive prompts or personal data, creating a privacy leak to third-party providers and potentially across jurisdictional boundaries.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This function sends both the user's query and the Tavily API credential to a remote endpoint without any visible privacy notice, consent mechanism, or safeguards around sensitive input. While sending an API key to the provider is expected for authentication, the security issue is that user-supplied content is transmitted externally by default with little transparency, increasing privacy and compliance risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.