Back to skill

Security audit

Luckee Skill

Security checks across malware telemetry and agentic risk

Overview

The skill fits a Luckee e-commerce assistant purpose, but it installs mutable external code and handles persistent seller and channel credentials in ways users should review carefully.

Install only if you trust the Luckee GitHub repository, the luckee-cli package source, and the chat channels where results will appear. Prefer pinning or reviewing the plugin and CLI versions, disabling automatic CLI installation where possible, using sender-specific tokens rather than a shared default token, and limiting Feishu/channel credentials to the minimum scopes needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The reference documents automatic installation of a CLI via pip when the binary is missing, which is a system-modifying behavior outside the narrow user-visible function of answering e-commerce queries. This increases attack surface by allowing package download and local environment changes based on runtime conditions, and if package sources or execution paths are compromised it could lead to unintended code execution.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The plugin is documented to reuse Feishu channel credentials to call the Feishu Open API directly, extending the skill's privileges beyond Luckee operations into messaging-platform API use. Cross-purpose credential reuse violates least privilege and can expose channel-scoped secrets to plugin code paths that do not strictly need them for core business functionality.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The reference explicitly states that the plugin reads existing Feishu credentials, including account-scoped configuration, for direct message updates. Accessing broader channel configuration from a domain-specific commerce plugin creates privilege creep and raises the risk of credential misuse, accidental leakage, or unauthorized actions if the plugin is compromised.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The documentation normalizes storage and configuration of plaintext authentication tokens such as defaultToken, including examples containing live-style secret values, without prominently warning about credential sensitivity. This can lead operators to place secrets in config files or examples insecurely, increasing the chance of leakage through backups, logs, screenshots, or source control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.