Mirror Website

Security checks across malware telemetry and agentic risk

Overview

This website-mirroring skill is transparent about its goal, but it gives the agent broad file, network, and background-server authority without enough user control.

Install only if you will review each run before execution. Use it only for sites you own or are authorized to copy, choose a new empty destination folder, remove certificate and robots.txt bypasses unless explicitly needed, avoid automatic proxy use, and start any preview server only after confirming it binds to localhost and you know how to stop it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill goes beyond mirroring a site by instructing the agent to start a persistent local HTTP server with nohup. That introduces an unnecessary long-lived process and an additional attack surface on the local machine, which is not required to complete the user's core request of downloading files.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly states the skill will create local directories and automatically start a Python HTTP preview server, but does not mention any confirmation, consent, port-binding notice, or safety constraints. That creates a real safety issue because the skill can perform filesystem changes and expose local content over a listening service as part of normal execution, which is more dangerous in an agent context where broad user phrasing may trigger automation.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger guidance is overly broad, with examples like 'download to local', 'offline browse', and 'clone site' that could cause the skill to activate in situations where the user did not clearly authorize recursive fetching, file writes, proxy use, and server startup. In an agent system, ambiguous activation materially increases the chance of unintended high-impact actions, especially since this skill performs multiple system-affecting steps automatically.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger conditions are overly broad and state the skill 'must' be used for many common phrases about saving or cloning a site. This can cause the skill to activate in contexts where the user did not intend recursive downloading, filesystem writes, proxy probing, or server startup, increasing the chance of unsafe side effects.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation omits clear up-front warnings that the workflow will modify local files, create and execute shell scripts, probe proxies, ignore certificate validation, bypass robots.txt, and start a background server. Users may unknowingly authorize risky actions because the description presents it as a routine mirroring task without prominent disclosure.

Session Persistence

Medium

Category: Rogue Agent
Content: # 进入网站根目录（即域名子目录），以后台方式启动服务器 cd <SAVE_PATH>/<DOMAIN> nohup python3 -m http.server $PORT > /dev/null 2>&1 & SERVER_PID=$! echo "预览服务器已启动:"
Confidence: 97% confidence
Finding: nohup

Tool Parameter Abuse

High

Category: Tool Misuse
Content: --domains <DOMAIN>,www.<DOMAIN> \ --wait=2 \ --random-wait \ --no-check-certificate \ --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" \ --header="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" \ --header="Accept-Language: zh-CN,zh;q=0.9,en;q=0.8" \
Confidence: 98% confidence
Finding: --no-check

Tool Parameter Abuse

High

Category: Tool Misuse
Content: | `--convert-links` | 转换链接为本地路径 | | `--domains` | 同时包含 www 和非 www，避免遗漏 | | `--wait=2 --random-wait` | 随机等待，避免被封 | | `--no-check-certificate` | 跳过SSL证书验证 | | `-e robots=off` | 忽略 robots.txt | > **注意：不使用 `--html-extension` / `--adjust-extension`。** 该参数会根据 Content-Type 自动追加扩展名，导致 `fontawesome.min.css` 被保存为 `fontawesome.min.css.css`。
Confidence: 98% confidence
Finding: --no-check

Tool Parameter Abuse

High

Category: Tool Misuse
Content: echo "下载: $full_url → $local_file" mkdir -p "$(dirname "$local_file")" wget -q --no-check-certificate \ --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/122.0.0.0" \ -O "$local_file" \ "$full_url" || echo " 失败: $full_url"
Confidence: 98% confidence
Finding: --no-check

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ### 第三步：检测网络连通性与代理在执行 wget 前，先检测是否能直接连通目标站点： ```bash # 先尝试直连
Confidence: 85% confidence
Finding: wget 前，先检测是否能直接连通目标站点： ```bash # 先尝试直连 curl -sI --connect-timeout 5 https://<DOMAIN>/ > /dev/null 2>&1 DIRECT=$? # 如果直连失败，尝试常见代理 if [ $DIRECT -ne 0 ]; then curl -sI --connect-timeout 5 -x http://1

Tool Parameter Abuse

High

Category: Tool Misuse
Content: echo "下载: $full_url → $local_file" mkdir -p "$(dirname "$local_file")" wget -q --no-check-certificate \ --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/122.0.0.0" \ -O "$local_file" \ "$full_url" || echo " 失败: $full_url"
Confidence: 98% confidence
Finding: wget -q --no-check-certificate

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal