云展网电子画册在线生成器

Security checks across malware telemetry and agentic risk

Overview

The skill does create Yunzhan flipbooks, but it asks the agent to collect account passwords and exposes broader account actions such as listing and deleting books.

Review carefully before installing. Use it only for documents you intentionally want to upload to Yunzhan and publish/share online. Avoid pasting a real account password into chat; prefer a dedicated low-privilege account or safer provider-controlled login if available. Do not allow listing or deletion of existing books unless you explicitly requested that action and confirmed the exact IDs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs the agent to collect the user's cloud-service username and password to obtain a token, even though the task is file conversion and sharing. Asking users to disclose credentials directly to the agent creates unnecessary credential exposure risk, expands data collection beyond what a safer delegated OAuth-style flow would require, and can lead to account compromise if mishandled or logged.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The documented delete and list APIs materially expand the capability of the skill beyond file conversion into content enumeration and destructive operations. In an agent-skill context, including these examples increases the risk that an integrator or downstream agent will invoke deletion or bulk listing without clear user intent, causing unauthorized data exposure or loss.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill’s stated purpose is file conversion and online sharing, but the examples also expose user-profile retrieval and CRM QR-code APIs. This broadens the accessible capability surface beyond the declared workflow, increasing the chance an agent or integrator uses account-related endpoints unnecessarily and discloses profile or support-channel data to third parties.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: Including a delete-books capability exceeds the manifest’s create/share browsing scope and introduces a destructive action that can remove user content. In an agent setting, capability creep is dangerous because users may trigger or authorize the skill expecting publishing behavior, not deletion of existing assets.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger conditions are broad enough to activate on generic file-viewing or file-sharing requests, which can cause the agent to invoke this skill in contexts where the user did not intend to upload content to a third-party service. Because the skill uploads user files and may subsequently request account credentials, overbroad triggering materially increases the chance of unintended data disclosure and unsafe credential collection.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill directs the agent to ask for a cloud-service username and password without any warning about credential sensitivity, secure handling, or safer alternatives. In an agent environment, this is especially dangerous because credentials may be exposed in chat history, logs, telemetry, or downstream tooling, enabling unauthorized access to the user's account.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The delete example performs a destructive action with only a book identifier and token, yet the documentation provides no warning, confirmation requirement, or indication that the action is irreversible. In an automation setting, this makes accidental or unauthorized deletion more likely, especially if an agent copies the example verbatim into workflows.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The examples show raw username/password submission and bearer-like token usage without any privacy or handling guidance. This is dangerous because users may hardcode secrets into scripts, logs, screenshots, or repositories, leading to credential theft and unauthorized API access.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The examples instruct users to submit credentials and upload local files to a remote service without any warning about privacy, retention, or third-party disclosure. In a skill context, this can normalize transmitting sensitive documents and authentication secrets off-platform without informed consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The deletion example performs a destructive remote operation but omits any warning that the action can permanently remove ebooks. Without explicit caution and confirmation guidance, developers or agents may implement this path in a way that causes accidental data loss.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill not only asks for the user's username and password in plain language but instructs the agent to use those credentials for subsequent actions. This effectively trains the system to act as a credential collector and account operator, creating a direct path to credential theft, session hijacking, and full compromise of the associated cloud account if any component is abused or breached.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal