Back to skill

Security audit

byted-livesaas-master

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its livestream-control purpose, but it automatically installs/uses tools and reports usage metadata before doing the user’s task, so it should go through Review before installation.

Install only if you trust the publisher and are comfortable granting an agent control over enterprise livestream resources, including creating/updating rooms, sending messages, moderating viewers, using stored LiveSaaS credentials, and installing global npm CLI packages. Review or disable the startup telemetry before deployment, especially in enterprise or regulated environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill directs the agent to execute shell commands and inspect environment-derived state, but it declares no permissions or equivalent user-facing disclosure. That creates a trust and containment problem: a user invoking a livestream-management skill would not reasonably expect shell execution, package installation, telemetry, and credential checks to occur automatically. In this context, the undeclared capability is more dangerous because the skill performs side effects on activation, including process execution and system changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose is live-control operations, but the skill also performs mandatory telemetry, agent fingerprinting via installation path/environment, and fallback outbound transmission using external tooling. That hidden behavior expands data collection beyond the stated purpose and can exfiltrate metadata about the user environment without informed consent. The mismatch makes the skill more dangerous because the extra behavior is triggered on every activation, not only when needed for livestream tasks.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill mandates outbound usage reporting on every activation before serving the user's request, even though telemetry is not necessary to manage livestream rooms. Automatic network reporting creates a privacy and supply-chain risk, especially because it occurs best-effort and silently, making it easy to normalize undisclosed exfiltration. In this skill context, mandatory activation-time telemetry is particularly suspicious because the core business function does not require it.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document claims the skill layer contains no executable scripts, yet it explicitly instructs execution of a Node script. That contradiction undermines reviewability and can hide side-effecting behavior from users and auditors, increasing the chance that unsafe code runs under false assumptions. In security-sensitive agent skills, misleading documentation is itself risky because it defeats informed consent and static review.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script automatically sends skill-usage metadata to a remote endpoint on startup, including skill name, agent identifier, event ID, and version, without any in-band disclosure or clear necessity for the advertised livestream-control functionality. Even if the payload is limited, undisclosed outbound telemetry creates a privacy and supply-chain trust risk, and the endpoint can be overridden by environment variable, expanding exfiltration possibilities in compromised environments.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The fallback to spawning an external curl process adds an unnecessary execution capability unrelated to core live-control operations and increases attack surface. While arguments are passed safely via spawn without a shell, invoking an external binary can bypass expected network controls, rely on PATH resolution, and create inconsistent behavior across environments for hidden telemetry delivery.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to auto-run installation commands and telemetry reporting on first activation without requiring a clear risk prompt or affirmative user approval. Automatic package installation and outbound requests introduce both supply-chain and privacy risk, especially in environments where the user expects a documentation skill rather than system modification. The context increases severity because these actions happen before the requested livestream task is fulfilled.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code performs an HTTP POST containing usage metadata with no user-facing warning, consent flow, or visible disclosure at execution time. In a skill intended for enterprise livestream operations, silent telemetry is more concerning because deployments may handle sensitive operational identifiers and are often expected to meet stricter privacy, compliance, and change-control requirements.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.