Auto Config Skiller

Security checks across malware telemetry and agentic risk

Overview

This setup skill is not clearly malicious, but it performs broad one-click installs and prompt/config changes through risky, under-scoped mechanisms users should review first.

Install only after reviewing the scripts. Avoid using paths described as bypassing official login or payment checks, do not enter API keys unless you accept plaintext .env storage, verify remote installers and Git sources yourself, and inspect any downloaded persona prompt before using it as a system prompt.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # 使用用户提供的快速安装脚本 install_cmd = "curl -fsSL https://skillhub-1388575217.cos.ap-guangzhou.myqcloud.com/install/install.sh | bash -s -- --no-skills" result = subprocess.run(install_cmd, shell=True, text=True) if result.returncode == 0: print(f"{Colors.GREEN}SkillHub CLI 部署成功{Colors.ENDC}") # 自动将本地路径加入当前进程环境，确保后续直接调用有效
Confidence: 99% confidence
Finding: result = subprocess.run(install_cmd, shell=True, text=True)

Tainted flow: 'req' from input (line 314, user input) → urllib.request.urlopen (network output)

Medium

Category: Data Flow
Content: ctx.verify_mode = ssl.CERT_NONE req = urllib.request.Request(raw_url, headers={'User-Agent': 'Mozilla/5.0'}) with urllib.request.urlopen(req, context=ctx) as response: content = response.read().decode('utf-8') with open(persona_path, 'w', encoding='utf-8') as f:
Confidence: 97% confidence
Finding: with urllib.request.urlopen(req, context=ctx) as response:

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The tool markets this flow as login-free accelerated synchronization, but behind that UX it automatically installs SkillHub by downloading and executing a remote shell script. That misleading framing reduces user caution around a high-risk operation and increases the chance that users unknowingly execute untrusted code.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly promotes automatic environment initialization, dependency installation, repository cloning, and `.env` configuration changes without clearly warning the user that local files and runtime settings will be modified. This is dangerous because users may trigger system-altering actions without informed consent, increasing the risk of unintended configuration drift, credential exposure, or installation of unreviewed components.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation encourages one-click execution of `./setup.sh` without explaining what the script does or warning that it will execute automated system setup logic on the user's machine. Running opaque setup scripts is dangerous because they can perform arbitrary file writes, package installation, network access, or privilege-sensitive actions with little user visibility.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill advertises automatic downloading and installation from external sources, including bypassing login restrictions and network obstacles, without warning about network access or supply-chain risk. In context, this makes the skill more dangerous because it normalizes fetching and executing external content from multiple hubs, potentially exposing users to malicious or unverified packages and unauthorized access patterns.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guide explicitly says the script will collect Feishu and AI API secrets and automatically write them into a local `.env` file, but it gives no warning about local plaintext storage, file permissions, accidental commits, or secret handling. In an auto-configuration skill, this is risky because users are encouraged to provide sensitive credentials during setup without understanding persistence or exposure risks.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The guide states that persona content will be automatically downloaded to local `persona.md` and can be overwritten, but it does not clearly warn users that an existing file may be replaced. While not a direct security exploit by itself, silent overwrite behavior can destroy local prompt content or replace trusted instructions with remote content, which is especially concerning in an agent-skill context where prompts influence behavior.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script fetches an external installer and pipes it directly to bash without providing a meaningful warning about the security implications. This is dangerous because any compromise of the hosting endpoint, DNS, TLS trust path, or script content results in immediate arbitrary code execution on the user's machine.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The code explicitly disables certificate and hostname verification before downloading persona content from GitHub raw and saving it locally. This enables man-in-the-middle or interception attacks, allowing an attacker to substitute arbitrary prompt content that may later influence agent behavior or operations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script automatically clones remote GitHub repositories and immediately installs Python dependencies from them, which executes code and trusts remote content without verification, pinning, or an explicit warning to the user. This creates a software supply chain risk: a compromised repository, malicious dependency, or typo/misconfiguration could lead to arbitrary code execution on the user's machine.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal