Back to skill

Security audit

Message Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a real Feishu message-tracking skill, but it exposes a root-oriented local daemon and sensitive chat controls too broadly for automatic approval.

Install only in a single-user or otherwise fully trusted local environment. Before broader use, restrict the daemon socket permissions, add authentication or peer checks, remove pre-lock deletion of runtime files, validate hook inputs, and document Feishu credential use, message retention, export, purge, and privacy expectations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script claims to prevent multiple instances, but it unconditionally deletes the lock, PID, socket, and daemon lock files before acquiring the lock. This defeats the safety property of file-based coordination and can allow concurrent daemon instances, stale-state corruption, or disruption of an already-running privileged service.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The daemon creates a Unix socket at /run/track-daemon.sock and explicitly sets permissions to 0o666, making it world-accessible. The request protocol has no authentication or authorization, yet exposes privileged operations including status, track, flush, and shutdown; any local user or process could connect and stop the daemon or manipulate stored message data.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script claims to prevent multiple instances, but it deletes the existing lock, PID, and socket files before acquiring the lock. That breaks the safety property of the lockfile scheme because a second invocation can remove the coordination artifacts of a running instance and then start a competing process, leading to multiple daemons, stale state, or interference with IPC.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The unconditional rm -f deletes coordination and runtime artifacts that may belong to an active daemon, with no checks for staleness or ownership. In a root-run script, this can break service integrity, interfere with IPC via the socket, and mask the presence of another running instance.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.