Back to skill

Security audit

Chexian Baodan Tong

Security checks across malware telemetry and agentic risk

Overview

This skill coherently organizes local car-insurance PDFs, but users should run it only on a narrow folder because it renames files and can zip unrelated folder contents.

Use this on a dedicated folder containing only the intended insurance PDFs. First run with --no-rename --no-pack or on a copy if filenames matter. Avoid --api unless you trust the configured provider and endpoint, and keep --no-pack enabled if the folder contains unrelated or sensitive files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Tainted flow: 'req' from os.environ.get (line 170, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST"
    )
    try:
        with urllib.request.urlopen(req, timeout=60) as resp:
            result = json.loads(resp.read().decode("utf-8"))
        content = result["choices"][0]["message"]["content"]
        # 尝试解析 JSON
Confidence
96% confidence
Finding
with urllib.request.urlopen(req, timeout=60) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes capabilities to read PDFs from a folder, rename files, create ZIP archives, access environment variables for API keys, and optionally send document contents to an external API, yet no permissions are declared. This creates a transparency and consent gap: users or the platform may not realize the skill can access local files, modify them in place, read secrets from the environment, and transmit sensitive insurance document data over the network.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The ZIP routine archives every file under the chosen folder recursively, not just the PDFs that were processed. In a folder containing unrelated or sensitive files, the generated archive can unintentionally bundle and redistribute additional data, increasing exposure of local information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
API mode reads local insurance PDFs and transmits their contents to an external service, but the user is not clearly warned at runtime that sensitive policy data will leave the machine. Because insurance documents contain PII and policy numbers, this is a meaningful privacy and compliance risk in this skill context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.