Back to skill

Security audit

Lanzou Downloader V0.0.3

Security checks across malware telemetry and agentic risk

Overview

This is a real Lanzou file downloader, but it needs Review because it disables HTTPS certificate checks and runs JavaScript fetched from share pages before saving downloads.

Install only if you are comfortable running a downloader in a sandbox and using it only on links you trust. Before normal use, the author should restore HTTPS certificate validation, restrict accepted URLs to intended Lanzou domains, contain output paths, and avoid executing fetched page JavaScript without stronger isolation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs the agent to perform live network access and file downloads, yet the metadata shown in SKILL.md does not declare corresponding permissions. This creates a permission/transparency gap: a reviewer or policy engine may underestimate the skill’s capabilities, while the skill can still fetch untrusted remote content and write it to the workspace.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script saves the fetched password-page HTML to a local file, which can capture share-page content, anti-bot challenge material, and potentially user-relevant metadata outside the downloader’s stated runtime purpose. In a debugging context this is likely for troubleshooting, but persisting remotely fetched content to disk increases exposure of sensitive or copyrighted material and expands the data-handling surface.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill executes JavaScript fetched from a remote Lanzou share page using Node's vm, which means an untrusted third party controls code that is run locally during download processing. Although a limited context and timeout are used, vm is not a reliable security boundary in Node.js, so this creates a realistic path to sandbox escape, denial of service, or unexpected local code interaction from attacker-controlled share pages.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script fetches a remote page and executes JavaScript extracted from it using Node's vm module. Even with a constrained context and timeout, this expands the skill from downloading into executing attacker-controlled logic from an untrusted origin, which is a dangerous capability increase and can enable denial of service, parser abuse, or future sandbox-escape risk if the context is ever broadened.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The request options explicitly set rejectUnauthorized: false, which disables TLS certificate validation for all HTTPS requests. This enables man-in-the-middle interception or tampering of downloaded content, cookies, and share-password exchanges when connecting to external Lanzou share links, making the downloader materially less trustworthy.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Disabling TLS certificate validation allows man-in-the-middle interception and tampering of all HTTPS traffic to the file-sharing site. In this skill’s context, that is especially dangerous because the script then parses server responses, follows redirects, processes cookies, and executes extracted anti-bot JavaScript, so a network attacker could inject malicious content or alter download targets.

Missing User Warnings

High
Confidence
99% confidence
Finding
Disabling HTTPS certificate verification without warning means users may believe transport security is intact when it is not. In this skill, the code fetches remote pages, executes extracted anti-bot JavaScript in a VM, handles cookies, and later downloads files, so a network attacker could substitute responses and influence the entire flow.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.insecure_tls_verification

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/debug_pwd.js:35

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/download.js:59

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/test_pwd.js:35

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/test_pwd2.js:24