Security audit

可以通过NPL自然语言和轻云API接口进行对话，调试轻云API不再那么困惑

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only helper for Lightcloud API calls, with disclosed credential use and record-changing commands that require careful handling.

Install this only if you intend for your agent to help manage Lightcloud form data. Use least-privilege credentials, avoid pasting production secrets into shared chats or logs, and manually verify workspace, form, and record IDs before running any create, update, or delete command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger description is broad enough to activate on generic CRUD or document-operation requests, which can cause the skill to engage outside the intended Qingyun/Lightcloud context. Over-broad activation increases the chance that users are prompted for credentials or shown destructive API commands in unrelated contexts, creating unnecessary exposure to sensitive operations.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill provides ready-to-run batch deletion commands without prominent warnings that deletion is irreversible or that the target IDs should be verified first. In an assistant context, this increases the risk of accidental destructive actions, especially if users copy commands without understanding their effect.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The workflow instructs the agent to collect appId, eid, and secret, but it does not warn that these are sensitive credentials that should not be retained, echoed, or logged. In a skill context, omission of credential-handling safeguards can lead to unnecessary exposure of secrets through chat history, logs, screenshots, or copied commands.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This documentation exposes a destructive bulk-delete endpoint but does not warn that the operation may permanently remove records or require extra authorization checks and confirmation flows. In the context of an agent skill that may automate API usage, omission of such safety guidance increases the risk of accidental or overly broad data deletion.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The document shows token and secret acquisition parameters, including appId, eid, and secret, without any security note about secure storage, redaction, or avoiding exposure in logs and examples. In an integration skill, this omission can lead developers or agents to mishandle credentials and leak access to the Lightcloud tenant.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal