Security audit

Chexian Baodan Tong

Security checks across malware telemetry and agentic risk

Overview

This skill coherently organizes local car-insurance PDFs, but users should run it only on a narrow folder because it renames files and can zip unrelated folder contents.

Use this on a dedicated folder containing only the intended insurance PDFs. First run with --no-rename --no-pack or on a copy if filenames matter. Avoid --api unless you trust the configured provider and endpoint, and keep --no-pack enabled if the folder contains unrelated or sensitive files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Tainted flow: 'req' from os.environ.get (line 170, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: method="POST" ) try: with urllib.request.urlopen(req, timeout=60) as resp: result = json.loads(resp.read().decode("utf-8")) content = result["choices"][0]["message"]["content"] # 尝试解析 JSON
Confidence: 96% confidence
Finding: with urllib.request.urlopen(req, timeout=60) as resp:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documentation describes capabilities to read PDFs from a folder, rename files, create ZIP archives, access environment variables for API keys, and optionally send document contents to an external API, yet no permissions are declared. This creates a transparency and consent gap: users or the platform may not realize the skill can access local files, modify them in place, read secrets from the environment, and transmit sensitive insurance document data over the network.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The ZIP routine archives every file under the chosen folder recursively, not just the PDFs that were processed. In a folder containing unrelated or sensitive files, the generated archive can unintentionally bundle and redistribute additional data, increasing exposure of local information.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: API mode reads local insurance PDFs and transmits their contents to an external service, but the user is not clearly warned at runtime that sensitive policy data will leave the machine. Because insurance documents contain PII and policy numbers, this is a meaningful privacy and compliance risk in this skill context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.