Maxhub Kuaishou

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Kuaishou data lookup skill using MaxHub, with privacy and routing caveats but no evidence of hidden, destructive, or deceptive behavior.

Install only if you are comfortable sending Kuaishou search terms, profile/video IDs, links, and the MaxHub API key to https://www.aconfig.cn. Use a dedicated API key, avoid production cookies or session tokens, and ask the agent to confirm before resolving personal profiles, collections/favorites, or generating share links.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill repeatedly presents itself as read-only, but its documented capabilities include short-link generation, which is a state-changing remote operation. This mismatch can cause an agent or user to authorize the skill under a lower-risk assumption, bypassing confirmation flows or policy checks that should apply to non-idempotent actions.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The inline '只读' constraint conflicts with later-described link generation features, creating an inconsistent security contract inside the same skill. In agent ecosystems, such inconsistencies are dangerous because tool-selection and guardrail logic may trust the low-risk declaration while the actual endpoint set can still create remote artifacts.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The recipe adds a share-link generation action even though the skill metadata says the skill is read-only and focused on public-data query/analysis. This capability mismatch can cause an agent or reviewer to underestimate side effects, and link generation may be treated as an outbound action or content propagation step that violates least-privilege expectations.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger phrases "看回复" and "评论回复" are short and broad, with no scope constraints or negative examples to prevent accidental matching. In an agent setting, this can cause the recipe to fire on loosely related user input and invoke comment/reply collection unexpectedly, which increases the chance of unintended data retrieval or workflow misrouting.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases for the user-search recipe are short and generic, making accidental activation more likely during normal conversation. In an agent setting, broad routing rules can cause unintended access to external data sources and execution of a workflow the user did not clearly request, which is a real prompt/skill-selection boundary weakness.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The link-based profile recipe uses vague trigger phrases that could match benign mentions of links or profiles without a clear request to resolve and query a Kuaishou share URL. This increases the chance of unintended external requests and data retrieval, especially because the recipe accepts a share link and performs chained lookup steps.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The live-status recipe includes a very broad conversational trigger like asking whether someone is live, which can overlap with ordinary speech and loosely specified requests. In a tool-using agent, this can misroute conversation into external lookups about a user’s live status without sufficiently precise intent or identifier binding.

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The trigger phrases for the share-link flow are broad enough that ordinary requests like 'open link' or 'video link' could route users into processing arbitrary shared text. In a skill that consumes user-supplied links, vague routing increases the chance of unintended invocation, misuse of the wrong atom, or handling attacker-controlled share content without sufficiently clear user intent.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The recommendation flow is triggered by vague terms like 'recommendation' or 'home recommendation', which can overlap with many generic user requests and cause the agent to fetch a default recommendation feed without sufficiently specific consent. In this skill context, broad auto-routing is risky because it can invoke external requests and produce unrelated data retrieval based on weak intent matching.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documentation explicitly instructs use of an authenticated external API and describes transmitting search keywords, photo_id, and user_id to a third-party service, but it provides no privacy notice, consent requirement, or data-handling warning to the end user. In a people/content search context, those inputs can reveal user interests, targets of investigation, or identifiers tied to individuals, creating avoidable privacy and compliance risk even though the API is read-only.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly exposes an endpoint for retrieving a user's 收藏作品 (saved/favorited content) but provides no user-facing privacy warning, consent requirement, or policy constraint around accessing potentially sensitive preference data. Even if the API is read-only, favorites/collections can reveal personal interests, habits, relationships, or other profiling signals, making this more sensitive than ordinary public profile metadata.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal