Security audit

职业技能个性学习路径生成

Security checks across malware telemetry and agentic risk

Overview

This skill looks like a learning-path generator with local outputs and public reference lookups, but users should verify its sources because some bundled scripts are incomplete or use non-official references.

Install only if you are comfortable with local temporary copies of extracted document text and possible public reference queries using topic terms. Treat generated learning paths and source labels as draft material: verify citations and standards manually before using them for certification, compliance, or formal training decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises operational behaviors that imply file reads, file writes, and network access, but it declares no permissions or equivalent user-visible capability notice. This creates a trust and containment problem: users and hosting platforms cannot accurately assess what data the skill may access, persist, or transmit, increasing the chance of unintended data exposure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior materially exceeds and contradicts the stated purpose: it allegedly fetches external sites, performs live validation, uses non-domestic sources, and may rely on hardcoded/template data instead of the provided standard document. This is dangerous because users may provide sensitive or proprietary documents expecting local, purpose-limited processing, while the skill may silently enrich, verify, or substitute content using external services and misleading provenance.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The implementation does not ingest or parse any occupational skill standard document despite claiming to generate a graph from such input. This creates a deceptive integrity failure: downstream users may trust the output as standards-derived when it is largely a fixed template, leading to unsafe or invalid learning plans, especially in a skill that markets itself as using authoritative domestic resources.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The code documents that authoritative resources should be dynamically searched, but elsewhere embeds fixed source lists and example learning resources directly into the generated graph. This mismatch can misrepresent the freshness and authority of recommendations, causing users to rely on stale or inapplicable resources under a false claim of authoritative sourcing.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The function returns all-zero placeholder quality metrics while the surrounding design implies those metrics reflect real analysis. If consumed by other components or users, this can produce misleading quality assessments, disable gating logic, or normalize obviously incomplete graphs as if they had been evaluated.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The method advertises that authoritative resources should be collected via real searches, but it returns empty placeholder arrays and no collection logic is implemented. In a skill whose purpose is to generate authoritative learning paths, this can mislead downstream users into trusting outputs that appear evidence-based when no evidence was actually gathered.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The quality-metrics function claims to compute assurance metrics from collected data, but always emits fixed zero placeholders. This is dangerous because consumers may interpret the report as a real quality evaluation, leading to incorrect trust decisions about the generated learning graph.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script claims to build a knowledge graph from an input occupational skill standards document, but it never accepts, parses, or analyzes such a document and instead emits mostly hardcoded content. In this skill context, that is especially risky because users may rely on the output for education or certification planning under the false assumption that it reflects the provided standard.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The test helper writes validation results to a fixed absolute path under the local user's home directory. While this appears intended for local debugging rather than exfiltration, hard-coded file writes can unexpectedly persist potentially sensitive input/output data, fail in other environments, or overwrite files if the path is reused. In the context of a skill, this exceeds the minimum capability needed for knowledge validation and creates unnecessary local side effects.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file introduces real-time retrieval, validation, and recommendation behavior that materially expands the skill beyond its declared purpose of generating learning paths from domestic official resources. This scope drift is dangerous because it silently changes trust boundaries, causes network-dependent behavior, and may inject unreviewed external content into outputs that users may treat as authoritative.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code queries Wikipedia and arXiv even though the skill description says the target is China-domestic vocational standards and official domestic references. This creates a provenance and policy mismatch: foreign public sources can introduce inaccurate, non-compliant, or adversarial content into learning recommendations while misleading users into believing the output is based on approved authoritative sources.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The code makes outbound network requests to Baidu Baike even though the skill is described as operating on supplied职业技能标准文档, so it introduces undocumented data flow and dependency on external content. This can leak user-provided topics to a third party, make outputs non-deterministic, and expand the attack surface through untrusted remote content ingestion.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill states that extracted PDF text and progress state are written to /tmp, but it gives no warning about local persistence, retention, or cleanup. If the input documents contain personal, confidential, or regulated information, these temporary files can remain accessible to other processes, be recovered later, or be mishandled during failures and resumptions.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The validator hard-codes Chinese Wikipedia as the language source without user choice or justification, which can bias retrieval and hide that the skill is relying on a particular foreign source variant. In this context, the problem is not just locale preference but silent policy behavior that may affect accuracy, compliance, and user expectations about what sources are being consulted.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.