小方同学全球首个营销方案Agent

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises, but it handles account credentials and uploads login/output files to a public third-party host in ways users should review carefully.

Review before installing. Avoid entering your AIPPT password through the agent, avoid using confidential business plans or customer data, and assume generated reports, PDFs, and QR login images may be uploaded to tmpfiles.org links accessible to anyone who has the URL.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill instructs the agent to upload generated documents to tmpfiles.org, a third-party file host unrelated to the core service. This creates an external data exfiltration path for potentially sensitive user marketing plans and derived content, with no clear necessity, data-processing agreement, or trust boundary disclosure.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill instructs the agent to collect the user's phone number and password, encrypt them, and submit them to a third-party service for authentication. Even if intended to enable the service, this is highly sensitive credential handling that exceeds the core marketing/PPT generation function and creates unnecessary exposure of secrets, tokens, and account data within the agent workflow.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The documented QR-login flow uploads a screenshot of the login QR code to tmpfiles.org, a public third-party file host unrelated to the service. That exposes an authentication artifact to another external party and could let anyone with the link attempt to use the login session, while also leaking metadata about user authentication behavior.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly says the skill will read user-provided links/files and obtain a login token, but it does not warn users what data may be accessed, transmitted to third parties, retained, or exposed during that process. In a skill that processes uploaded documents and authenticated content, missing privacy and consent guidance can lead to inadvertent disclosure of sensitive files, account data, or session information.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The instructions direct the agent to send generated documents to an external file-sharing service without clearly warning the user that their content will be transmitted outside the primary service. That deprives the user of informed consent and materially increases confidentiality risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The instructions normalize sending a login QR screenshot to a public host without any privacy or security warning, increasing the chance that users or operators treat a sensitive login artifact as ordinary content. In this skill context, the QR code is part of an authentication flow, so mishandling it materially raises account-takeover and privacy risks.

Ssd 3

High

Confidence: 99% confidence
Finding: Uploading user-generated reports and PDFs to a public temporary file-sharing service creates a direct natural-language data leakage channel. Marketing plans may contain confidential strategy, customer data, business plans, or proprietary material, and public-hosted temporary links can be accessed beyond the intended recipient.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to read an authentication token from browser localStorage and reuse it for API calls. That is sensitive credential harvesting from browser state, expanding the blast radius of a browser session token and normalizing access to secrets outside a dedicated auth handoff boundary.

Ssd 3

High

Confidence: 99% confidence
Finding: The browser-login flow tells the agent to inspect localStorage for a login token, which exposes session credentials through natural-language workflow instructions. In the context of a skill with browser and exec access, this is especially dangerous because the token can then be replayed for authenticated API access beyond the immediate page interaction.

Ssd 3

High

Confidence: 99% confidence
Finding: The workflow explicitly tells the agent to request the user's phone number and password, handle them in memory, and obtain tokens and user information as part of normal operation. This is dangerous because it turns the skill into a credential-processing component, expanding the blast radius of compromise and violating the principle of least privilege for a marketing-content tool.

Ssd 3

High

Confidence: 99% confidence
Finding: The sample code prints the access token and user info after login, which risks exposing bearer credentials in logs, console output, transcripts, or downstream tooling. Any party with access to those outputs could reuse the token to access the associated account until expiry.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal