visit-analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent visit-analysis purpose, but it handles employee passwords and private communication records in ways users should review carefully before installing.

Install only if you trust the publisher and backend operator, understand that the skill may ask for employee passwords in chat, read local call transcripts and WeChat notification records, send derived analysis to a remote IP-based service, and cache or expose tokens for later access. A safer version would use platform-native authentication, explicit consent before reading each data source, narrower triggers, and selected conversation files rather than broad notification archives.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill’s declared purpose is visit/chat analysis, but it also performs employee authentication and even password-change handling inside the conversational workflow. That expands scope into credential handling, which is highly sensitive and unnecessary for a content-analysis skill, increasing the chance of credential theft, mishandling, or unauthorized account actions.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill claims to analyze specific chat/visit records, but the WeChat branch reads broad notification JSON files that may contain unrelated private messages and app notifications. Even if later filtered, this design grants access to a much wider dataset than users would reasonably expect, creating over-collection and privacy exposure risk.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Including password-change capability in a visit-analysis skill is unjustified privilege expansion. A compromised or mis-triggered skill could coerce users into changing credentials through chat, exposing old/new passwords and enabling account takeover or lockout.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases are broad enough to match ordinary requests like ‘重新总结’ or ‘销售阶段’, increasing the chance that the skill activates unexpectedly on unrelated conversations. In this skill, accidental activation is more dangerous because it can initiate credential prompts, read local private records, and upload analysis remotely.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill description does not clearly warn users that it reads private communications from local files/notifications and transmits derived analysis to remote services. This undermines informed consent and makes covert exfiltration of sensitive business or personal data more likely.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill explicitly instructs the AI to collect account IDs and passwords from free-form chat and use them for authentication. Plain-language credential collection in chat is highly dangerous because secrets can be logged, retained, mishandled by downstream systems, or socially engineered by a maliciously triggered skill.

Ssd 3

High

Confidence: 99% confidence
Finding: Soliciting a new password through chat creates an even more severe secret-handling problem, exposing both old and replacement credentials to conversation logs and intermediaries. It also normalizes unsafe behavior that attackers could mimic to phish employees.

Ssd 3

High

Confidence: 99% confidence
Finding: The account-switch branch again asks for a password in chat and reuses it for login, multiplying the number of secret-collection paths. Any branch that encourages conversational password entry materially increases exposure and phishing risk.

Ssd 3

High

Confidence: 99% confidence
Finding: The expired-token flow requests account credentials in chat and immediately sends them to a backend service. This is a textbook insecure credential collection pattern and is especially dangerous in a skill that can be broadly triggered.

Ssd 3

High

Confidence: 99% confidence
Finding: The renewal fallback again instructs the AI to ask for and extract the user’s password from chat, repeating the same high-risk anti-pattern. Repetition across multiple branches indicates systemic insecure secret handling rather than an isolated mistake.

Ssd 3

High

Confidence: 99% confidence
Finding: The final fallback still tells the AI to have the user re-enter account and password in chat, ensuring that insecure secret collection remains reachable even when other logic fails. This makes exploitation easy through error forcing or social engineering.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal