Cook Like Hoc

Security checks across malware telemetry and agentic risk

Overview

This is a coherent recipe lookup skill with minor disclosure issues around broad activation and optional GitHub token use.

Install this if you are comfortable with a recipe helper making network requests to GitHub/jsDelivr and caching a recipe index locally. If you have GITHUB_TOKEN set and do not want it used for this skill’s GitHub API request, unset it or use a narrowly scoped token before running the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill instructs the agent to execute a local Python script and the static analyzer detected network, file read/write, and environment capabilities, but the skill declares no permissions or constraints. That mismatch is dangerous because it hides the real execution surface from reviewers and users, and the script may fetch remote repository content or access local files without an explicit trust boundary.

Context-Inappropriate Capability

Low

Confidence: 94% confidence
Finding: The skill conditionally reads a GitHub token from the environment and uses it for an outbound API request. Even though the apparent purpose is to avoid rate limits, using ambient credentials without explicit disclosure or scoping is a real security concern because the skill silently changes trust boundaries and transmits a potentially sensitive secret to an external service.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrase list includes the generic everyday expression "做菜" (cooking), which is broad enough to cause unintended invocation for many unrelated cooking requests. Over-broad activation is risky because it can route users into code-executing skill behavior unexpectedly, increasing the chance of unnecessary local script execution and data access.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The code reads GITHUB_TOKEN and places it into an Authorization header for a network request to api.github.com without any user-facing notice. This is dangerous because environment secrets are being exfiltrated from the host process to an external service, and in agent environments such tokens may be broader than intended or belong to the platform rather than the skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal