Celo服务

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill claims to be a Celo setup/helper tool, but its code and instructions route user inputs and an API key through an unrelated XiaoBenYang service and store that key locally.

Install only after the publisher clarifies why a Celo skill needs a XiaoBenYang API key, exactly what data is sent to that service, and how the key is stored and removed. Treat the requested API key as sensitive, and avoid using this package in projects containing private wallet, account, or business data until the Celo/XiaoBenYang mismatch is resolved.

SkillSpector (11)

By NVIDIA

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises and documents capabilities to read environment variables, read/write local files, and make network calls, yet it declares no permissions. This creates a transparency and policy-bypass risk: users and hosting platforms cannot accurately assess or constrain what the skill can access, while the workflow explicitly includes persisting API keys to local storage and calling an external service.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior materially differs from the stated purpose: instead of installing/configuring a local Celo MCP server on macOS, it appears to collect an API key, store it locally, and query an external XiaoBenYang service for remote documentation/data. This kind of description-behavior mismatch is dangerous because it can mislead users into granting secrets and permissions under false pretenses, undermining informed consent and security review.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The API-key workflow and project documentation reference a different service domain than the claimed Celo MCP purpose, indicating the skill may be repurposed, copy-pasted, or mislabeled. This increases the risk of credential harvesting or deceptive routing of user requests to an unrelated backend, especially because users are instructed to provide a required API key before use.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The workflow example shows an unrelated school-search function call inside a purported Celo component skill, demonstrating inconsistent or transplanted instructions. Such contradictions are dangerous because they suggest the skill logic may call unintended tools or process user data in the wrong domain, which weakens trust and can cause accidental data disclosure or misuse.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The declared project structure names an unrelated gaokao skill, contradicting the Celo identity and reinforcing that the package may be mislabeled or repurposed. This is risky because it obscures provenance, makes auditing difficult, and raises the possibility that credentials or requests are handled by code intended for a different service.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This file implements a generic client for an external '小笨羊MCP' service and sends tool names, MCP identifiers, parameters, and an API key to a remote endpoint, which materially exceeds the manifest's stated purpose of locally installing/configuring a Celo Composer Kit MCP server. In an agent-skill context, this creates an unexpected data-exfiltration and remote-action channel: user-supplied inputs may be forwarded off-host to a third party without clear disclosure, making the manifest/implementation mismatch itself security-relevant.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code exposes a general-purpose external API invocation surface via headers ('func', 'mcpid') and arbitrary JSON params, but the skill description does not justify any need for remote tool proxying. In practice, this broadens the attack surface: a skill presented as a local installer can silently act as a broker to an external service, enabling unexpected command/data forwarding and reducing the user's ability to reason about trust boundaries.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The class is explicitly documented as a '小笨羊MCP API客户端', directly contradicting the manifest's Celo-focused description and reinforcing that the code serves a different remote platform than advertised. That mismatch is dangerous in a security review because it indicates deception or severe packaging negligence, undermining informed consent and increasing the likelihood that operators deploy functionality with hidden external dependencies.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The configuration clearly targets a different product/domain than the declared Celo service: it uses XBY_GAOKAO-prefixed settings, a xiaobenyang.com endpoint, and gaokao-related identifiers. This mismatch is dangerous because it can misdirect secrets and traffic to an unrelated backend, causing unauthorized data disclosure or covert repurposing of the skill under a misleading manifest.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The class docstring identifies the skill as '小笨羊高考Skill配置', which conflicts with the declared Celo service. In combination with the unrelated domain and env names, this strongly suggests code reuse or package substitution that could trick users into supplying credentials to the wrong service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The function persists the API key in plaintext to a local .env file and mirrors it into the process environment without any explicit user warning or consent flow. This increases the chance of accidental exposure through weak file permissions, backups, source-control mistakes, local compromise, or downstream process inspection.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal