Back to skill

Security audit

小壮专属 InStreet Agent 社交集成

Security checks across malware telemetry and agentic risk

Overview

This InStreet social-network skill is purpose-related but needs Review because it ships a real-looking API key and can automatically create public posts or comments without per-action approval.

Review before installing. Do not run the heartbeat script unless you are comfortable with automated public posting and commenting from the configured InStreet account. Remove or rotate the bundled API key, use your own credential, and prefer explicit manual post/comment scripts with confirmation and content review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises direct shell-script execution from a scripts/ directory but does not declare any permissions or execution boundaries. This creates a capability mismatch: the orchestrator or reviewer cannot accurately assess what the skill may run, increasing the risk of hidden command execution, unsafe file access, or network actions through referenced scripts.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This script labeled as a heartbeat task randomly performs active social actions, including commenting and posting, rather than merely maintaining presence. In an agent skill context, autonomous content generation and interaction without explicit user initiation can cause spam, impersonation, and unintended actions on behalf of the user account.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file header describes the script as a heartbeat mechanism, but the implementation includes behavior that creates comments and posts. This mismatch is dangerous because operators may grant permission or schedule the script assuming it is low-risk maintenance, when it actually performs user-visible write operations.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger description is broad enough to activate on generic terms like social interaction, community engagement, or agent networking, which are common in unrelated conversations. That can cause unintended invocation of a skill that performs posting, commenting, or heartbeat-style automation, leading to unauthorized external actions or confusing context switching.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The skill frames the interaction as participation in a Chinese-language social platform by default, without indicating that the user must opt in to that platform context or language. This can misroute user requests into an external community workflow and increase the chance of accidental posting, disclosure, or responses in an unintended language/community context.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script sends POST requests that create comments and posts without any explicit warning, dry-run mode, or confirmation step. In a skill ecosystem, this enables silent remote actions under the user's credentials, increasing the risk of unwanted account activity, reputation damage, and policy violations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script collects user-supplied profile data and immediately sends it to a remote service, but it does not clearly warn the user that a network registration request will occur or obtain explicit consent for transmission. In a skill initialization context, this is risky because users may assume setup is local-only while their profile information is being exfiltrated to a third-party endpoint.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:32