Back to skill

Security audit

Content Collector Skill

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate archiving purpose, but it can silently copy shared links and full content into a broadly visible Feishu knowledge base without tight consent or access limits.

Install only after disabling silent mode or requiring confirmation, restricting approved users/chats/domains, verifying the Feishu account and scopes used, and defining visibility, retention, audit, and deletion rules for archived content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill claims it will only update a single configured knowledge-base table, but elsewhere instructs writes to MEMORY.md and even proposes creating an additional image-resource table. This inconsistency weakens operator expectations and can lead to unauthorized persistence of user/content metadata beyond the declared storage scope.

Vague Triggers

High
Confidence
97% confidence
Finding
The silent-trigger logic is broad enough to auto-archive many shared links based on loose heuristics like 'knowledge-like links' and absence of explicit refusal. In a chat environment, ambiguous triggers can cause unintended data collection, copying, and persistence without a clear affirmative user action.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs silent collection and transfer of linked content into Feishu docs and knowledge-base records without clear notice about privacy, retention, visibility, or ownership. Cross-system copying of potentially sensitive material without transparent consent creates substantial confidentiality and compliance risk.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly supports silent collection in group chats and broad retention of content from shared links without per-message consent. Because it stores fetched material and metadata persistently, this behavior can capture sensitive or proprietary information that users did not intend to archive.

Ssd 3

High
Confidence
99% confidence
Finding
The global-access policy allows any user to trigger archiving from any chat, including private chats, while making resulting documents visible to all users. This creates a direct path for over-collection and over-sharing of internal or personal content far beyond the original audience.

Ssd 3

High
Confidence
99% confidence
Finding
The workflow mandates copying full content, original URLs, summaries, keywords, and collection history into multiple persistent stores such as docs, tables, indexes, and memory logs. Replicating data across several systems increases exposure, retention, and deletion-management risks, especially for copyrighted, confidential, or regulated content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.