Back to skill

Security audit

Saylove Get - 土味情话

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it fetches a random TianAPI love quote using a user-provided TianAPI key, with no hidden persistence or unrelated data access found.

Install only if you are comfortable using TianAPI for these quote requests. Prefer setting TIANAPI_SAYLOVE_KEY as an environment variable or secret, avoid passing the key on the command line, and do not commit any scripts/.env file containing the key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger description is broad enough to overlap with ordinary conversational requests about flirting, humor, or writing help, which can cause the agent to invoke the skill more often than necessary. Over-broad activation increases unnecessary exposure of API keys and network calls, and may route benign chat into tool execution without clear user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The usage guide says to execute the script whenever the user wants a love quote, but it lacks boundaries, confirmation requirements, or negative examples. In an agent setting this can lead to automatic tool invocation for loosely related requests, causing unnecessary credential use and external data disclosure to a third-party service.

Credential Access

High
Category
Privilege Escalation
Content
# 方式一:环境变量(推荐,一次配置永久生效)
    export TIANAPI_SAYLOVE_KEY=你的APIKey

    # 方式二:.env 文件(在脚本目录创建)
    echo "TIANAPI_SAYLOVE_KEY=你的APIKey" > scripts/.env

    # 方式三:每次命令行传入
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
export TIANAPI_SAYLOVE_KEY=你的APIKey

    # 方式二:.env 文件(在脚本目录创建)
    echo "TIANAPI_SAYLOVE_KEY=你的APIKey" > scripts/.env

    # 方式三:每次命令行传入
    python3 scripts/fetch_saylove.py 你的APIKey
Confidence
95% confidence
Finding
.env

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.