Back to skill

Security audit

Tongyong Shenhe

Security checks across malware telemetry and agentic risk

Overview

This is a real moderation automation tool, but it handles admin credentials and can change live moderation decisions with limited safeguards.

Install only if this is an approved internal moderation automation tool. Use a least-privilege account, protect config.json as a secret, do not commit or share TOTP seeds, run dry-run first, limit batches and modules, review rules carefully, avoid untrusted decisions files, and enable the external API only if its endpoint and data-handling policy are approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The fetch-only mode exports pending review content to a local JSON file, which can include sensitive, regulated, or confidential user-submitted content. In a moderation skill, bulk export for offline handling increases data-exfiltration and retention risk, especially because the file is written in plaintext without access controls, redaction, encryption, or an explicit warning.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The submit mode accepts arbitrary decisions from an external JSON file and applies them directly to the moderation backend after login. That creates a trust-boundary break: anyone who can supply or alter the decisions file can mass-approve or mass-reject content, bypassing the intended local-rule or API-based review flow.

Missing User Warnings

High
Confidence
98% confidence
Finding
The guide explicitly instructs users to store backend username, password, and the raw TOTP seed in a local config.json file, but provides no safeguards such as secret managers, file permission restrictions, exclusion from version control, or rotation guidance. A stolen TOTP seed effectively nullifies the second factor because an attacker can generate valid codes indefinitely, making compromise of the config equivalent to compromise of the admin account.

Missing User Warnings

High
Confidence
97% confidence
Finding
The deployment guide tells users to obtain the original TOTP seed and feed it to the automation so it can generate login codes. In this context, the skill is meant to log into administrative d.php backends over VPN, so exposing the raw seed is especially dangerous: anyone who gets that seed plus the password can continuously bypass MFA and access privileged moderation/admin functions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The description presents the skill as convenient and reusable but does not prominently warn that it can automatically approve or reject live submissions using backend credentials and TOTP. In this context, the omission is risky because operators from 'other groups' are encouraged to just fill in credentials and run it, which can lead to unintended production actions, abuse of privileged access, and unsafe trust in automated moderation outcomes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The usage guide explicitly instructs users to automatically submit moderation decisions and optionally send content to a third-party '技术部 API' for deeper review, but it does not provide a clear warning about privacy, data-sharing, retention, or authorization requirements. Because the reviewed content may contain user-generated text and possibly sensitive fields from backend moderation systems, operators could unknowingly transmit regulated or confidential data externally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code sends moderation content to an external API whenever an API key is configured, but the file provides no explicit consent, warning, classification checks, or content-minimization controls. For a general-purpose moderation tool used across sites, transmitting user content to a third party can violate privacy expectations, contractual limits, or data-handling requirements.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Fetch-only mode writes all pending review content to disk without safeguards such as restricted permissions, encryption, data minimization, or operator warning. Because this tool handles moderation queues for multiple backend sites, that behavior materially increases the chance of local disclosure, accidental sharing, or long-term retention of sensitive content.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.