Back to skill

Security audit

Universal Intelligence Agent

Security checks across malware telemetry and agentic risk

Overview

This research skill is not clearly malicious, but it combines broad web crawling, anti-detection behavior, persistent local logs/reports, credential/provider probing, and cron-capable monitoring with incomplete user controls.

Install only if you are comfortable with a stateful web-research skill that may write reports and logs under ~/.uia, inspect local provider configuration, and use crawler anti-detection tactics. Before use, review or disable monitoring/cron behavior, avoid sensitive queries unless you accept local persistence, pin dependencies, and use it only on sites where automated access is permitted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill advertises a simple zero-config intelligence workflow, but the documented behavior includes persistent logging, WAL/session recovery, environment probing, subprocess/provider detection, and monitor management. This mismatch is dangerous because users may invoke it expecting transient research assistance while it performs persistence, system inspection, and background-capable operations that materially expand side effects and privacy risk.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document claims zero API-key cost and no external dependency, yet later states it will use gateway tokens or provider keys if present. This is risky because it can mislead users into exposing or consuming configured credentials unexpectedly, especially when the skill auto-detects environment state and routes requests to external providers.

Description-Behavior Mismatch

Low
Confidence
77% confidence
Finding
The coordinator serializes pipeline snapshots to WAL using json.dumps(snapshot, ensure_ascii=False, default=str), which can persist query content and intermediate pipeline data without any visible minimization, redaction, or consent controls in this file. In an intelligence-gathering skill, those snapshots may include sensitive user queries or collected content, increasing privacy and data-exposure risk if WAL storage is accessible or retained too long.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Cross-session resume reads persisted WAL entries and reconstructs pipeline state based only on a session_id, with no authentication, authorization, or integrity checks shown in this code. In a skill designed for broad information collection and analysis, that makes replay/resume capabilities more dangerous because prior collected data could be resumed, exposed, or processed across sessions by anyone able to supply or guess a valid session identifier.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module-level documentation claims all external input is sanitized at the system entry point, but the generic InputSanitizer.clean() path only applies basic string cleanup and does not automatically invoke URL-specific or HTML-specific sanitization. This mismatch can cause developers to trust unsafe data as already neutralized, leading to downstream XSS, unsafe fetches, or other injection issues when HTML or URLs are later consumed.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The usage example suggests clean(query="<script>alert(1)</script>") will neutralize script content, but clean() calls sanitize_query() with escape_html disabled by default, which leaves the script tag intact aside from trimming and control-character removal. This is dangerous because developers may rely on the example and pass the returned string into HTML rendering or prompt/tool pipelines under the false assumption it was sanitized.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
This middleware creates persistent WAL files under the user's home directory for every session, which introduces durable local state unrelated to the skill's advertised search/analysis purpose. In an agent context, persistent per-session logs can retain sensitive prompts, paths, operational metadata, or identifiers across runs, increasing privacy and forensic exposure if the host is shared or compromised.

Intent-Code Divergence

Medium
Confidence
74% confidence
Finding
The documentation states that side effects are deferred until commit, but API calls are actually executed during the prepare phase. This mismatch can cause callers to assume external effects have not happened yet, leading to unsafe integration logic, incomplete rollback assumptions, and unintended network or state-changing actions before final commit.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly advertises '智能反爬+指纹伪装' capabilities, which indicates deliberate evasion of anti-bot defenses and identity masking during scraping. Even though this is documentation rather than executable code, it normalizes potentially abusive network behavior without warning users about legality, consent, rate limits, target-site terms, or operational impact, making misuse more likely in a skill whose purpose is large-scale information collection.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are very broad and overlap with ordinary requests such as 'help me look up' or 'quickly understand,' increasing the chance the skill activates in contexts where the user did not intend multi-engine search, crawling, logging, or scheduling. In a skill with network access, file writes, cron, and exec available, ambiguous activation meaningfully increases the risk of unintended side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The monitoring trigger introduces scheduled Cron-based behavior, but the skill description does not prominently warn users that invoking monitoring can create persistent background tasks. Hidden or under-disclosed scheduling is dangerous because it can continue network activity and state changes after the initial interaction, surprising users and increasing operational risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents anti-detection crawling measures such as randomized user agents, cookie management, referer spoofing, retry on blocks, and use of cached snapshots, yet these behaviors are not surfaced as a prominent user warning. This is dangerous because it normalizes stealthy scraping behavior that can bypass site expectations, create legal/compliance exposure, and mishandle per-target cookies or tracking data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The adapter writes report content directly to a predictable path under the user's home directory without any explicit user consent, disclosure, or opt-in. In an agent skill that processes potentially sensitive intelligence or search results, this can create unintended local persistence of sensitive data and surprise file-system side effects, especially when `session_id` may influence filenames.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code writes full PipelineBus snapshots to persistent WAL storage after multiple phases, but there is no indication here of user disclosure, opt-in, or data-classification safeguards. For a tool that collects and analyzes external information, silent durable storage can capture sensitive research topics, crawled data, and analysis outputs, creating confidentiality and compliance risks.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The module description and the `search()` defaults bias behavior toward Chinese-language and Chinese-engine use (`language='zh'`, `engine_group='all'` resolving to CN+global for zh) without explicit user opt-in. In an intelligence-gathering skill, this can silently steer collection scope, jurisdiction, and content sources, producing privacy, compliance, or geopolitical bias risks and causing users to receive results from unintended regions.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 安装: pip install -r requirements.txt

# 核心依赖
pydantic>=2.0.0

# 开发依赖
pytest>=7.0.0
Confidence
92% confidence
Finding
pydantic>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pydantic>=2.0.0

# 开发依赖
pytest>=7.0.0
pytest-cov>=4.0.0
pytest-timeout>=2.0.0
Confidence
88% confidence
Finding
pytest>=7.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 开发依赖
pytest>=7.0.0
pytest-cov>=4.0.0
pytest-timeout>=2.0.0
Confidence
87% confidence
Finding
pytest-cov>=4.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 开发依赖
pytest>=7.0.0
pytest-cov>=4.0.0
pytest-timeout>=2.0.0
Confidence
87% confidence
Finding
pytest-timeout>=2.0.0

Known Vulnerable Dependency: pydantic — 4 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.) +1 more

High
Category
Supply Chain
Confidence
84% confidence
Finding
pydantic

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.