Back to skill

Security audit

Grok Geo

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real GEO audit tool, but it combines broad third-party querying, local data retention, and recurring automation that users should review before installing.

Review this before installing if you handle confidential brand, competitor, analytics, or access-log data. Use narrowly scoped API keys, disable or avoid scheduled audits unless needed, do not provide secrets in inputs, restrict run artifact access, and define retention/cleanup for raw responses and reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (30)

Direct flow: os.getenv (credential/environment) → httpx.post (network output)

Critical
Category
Data Flow
Content
# Volcengine uses the same endpoint as ByteDance Doubao
            import httpx
            endpoint_id = kwargs.get("endpoint_id", "doubao-pro-4k")
            response = httpx.post(
                "https://ark.cn-beijing.volces.com/api/v3/chat/completions",
                headers={
                    "Authorization": f"Bearer {os.getenv('ARK_API_KEY', self.api_key)}",
Confidence
84% confidence
Finding
response = httpx.post( "https://ark.cn-beijing.volces.com/api/v3/chat/completions", headers={ "Authorization": f"Bearer {os.getenv('ARK_

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares broad capabilities including shell, file read/write, environment-variable use, and network access, but does not explicitly declare permissions or narrowly scope them. This increases the chance of overprivileged execution and makes it harder for a caller or platform to reason about what the skill can access or modify.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior materially exceeds the stated purpose, including scheduling, monitoring, external integrations, artifact generation, and broad multi-engine/API activity. Such mismatch can mislead users and reviewers about the real attack surface, causing them to authorize a skill that performs persistent automation and additional outbound data flows they did not expect.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The changelog describes scheduler setup, monitoring, drift detection, and closed-loop optimization, which expands the skill from passive analysis into operational or semi-autonomous execution. That scope drift is risky because users and reviewers may trust the skill as read-only diagnostics while it actually exposes workflow automation surfaces that can trigger actions, especially via the newly added MCP tools.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The changelog states the skill can auto-generate schema/content-adjacent artifacts such as llms.txt, entity.json, brand.json, and aeo.json, which goes beyond a purely diagnostic posture. Artifact generation creates an output-writing capability that can modify repositories or operational content pipelines, increasing the chance of unintended changes, misuse, or misleading users about what the skill is allowed to do.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
Agent manifest generation and API endpoint verification are capabilities outside the stated brand-visibility audit scope and can interact with external systems in ways users may not expect. Even if intended for legitimate analysis, they broaden the attack surface by enabling service discovery, endpoint validation, and machine-consumable artifact creation under a diagnostic label.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Agentic commerce and autonomous agent engine functionality are materially more powerful than a standard GEO audit tool and suggest decision-making or action-oriented behavior beyond passive reporting. In this context, the danger comes from mismatch: users may invoke a brand-visibility auditor while actually enabling autonomous workflows that could influence business processes, external interactions, or downstream automation.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
Recurring scheduling and continuous monitoring create persistence and repeated execution beyond a one-time audit. In a skill that also has shell, file-write, and network capabilities, this expands the blast radius from a single run to ongoing automated actions, storage growth, and repeated outbound requests.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The safety section says not to read secrets or files outside the run directory, yet the workflow explicitly relies on environment variables and allows base directories outside the run path. This contradiction weakens trust boundaries and can normalize access to sensitive host configuration or unintended filesystem locations, especially when combined with shell execution.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document explicitly reframes the skill from a diagnostic auditor into a system that generates executable remediation actions and tracks their execution. That scope expansion can cause downstream agents or users to treat the skill as authorized to perform marketing, publishing, or operational changes that exceed the manifest’s stated analysis-only purpose.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
These sections prescribe concrete content creation, content updates, outreach, FAQ publishing, and schema changes as part of the skill’s workflow, which materially broadens the skill into implementation and marketing operations. In an agentic setting, this can lead to unauthorized content generation or external engagement contrary to the declared 'do not use for content publishing' boundary.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The outreach templates operationalize direct contact with publishers and authors, implying the skill can facilitate or automate external communications. That creates risk of unauthorized outreach, spam-like behavior, brand impersonation, or policy violations because the manifest describes GEO analysis, not active communications campaigns.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The methodology states the system is 'not just diagnosis' and will support execution and impact tracking, directly conflicting with the manifest restriction against content publishing and ordinary operational use. Contradictory internal instructions are dangerous because agents typically follow the more detailed workflow text, causing scope drift into prohibited actions.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document claims raw API responses with user data are not stored, but its normalized schema explicitly preserves full question_text and answer_text. Even if raw vendor payloads are discarded, retaining these fields can still store sensitive user prompts, proprietary brand data, or personal information sent to third-party engines, creating a privacy and data-retention gap.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document explicitly proposes an autonomous optimization loop that detects gaps, prioritizes actions, and executes them continuously. In a skill whose stated purpose is diagnostic GEO analysis and reporting, this materially expands behavior toward unattended operational changes, which can cause unintended modifications, policy violations, or unsafe downstream actions if later implemented.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file expands the skill from GEO auditing into agentic commerce and A2A operational-readiness assessment, which is a real scope-creep issue for a security-sensitive agent skill. Broadening capabilities beyond the declared purpose increases the chance that downstream tooling or operators will invoke actions or trust outputs that were never reviewed under the original threat model.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The manifest-generation path fabricates or advertises operational capabilities such as API access and purchase completion based largely on user-supplied brand fields, then writes them as an AgentManifest. In an agent ecosystem, this can misrepresent authority or readiness and could cause other components to attempt sensitive integrations or transactional flows that were never validated.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly states that the skill collects evidence via `web_search`, but it does not prominently warn users that prompts, brand names, and query content may be sent to external services. In a security-sensitive agent setting, missing disclosure can lead to unintended transmission of confidential or regulated data, especially because this skill is designed for broad brand and competitor analysis across many AI/search engines.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The scheduled audit setup enables ongoing automated execution and file writes without a strong warning that the system will continue making changes and running commands over time. In the context of a skill with shell and filesystem capabilities, insufficient disclosure can lead to unintended persistence and operational risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that raw engine responses are written to disk, but it does not warn that these outputs may contain sensitive prompts, brand intelligence, proprietary research inputs, or third-party response data. In a GEO auditing skill, operators are likely to process confidential competitive and marketing information, so silently persisting raw data increases the risk of unintended retention, local disclosure, or inclusion in backups and logs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The module documents integration with multiple third-party AI engines but does not disclose that submitted queries and related context may be transmitted to external providers. Because this skill is specifically designed for brand visibility, competitor analysis, and factual diagnostics, users may submit sensitive business plans, customer data, or confidential research prompts to services with different retention and processing policies.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly instructs saving raw search responses to persistent storage immediately after each search, but provides no safeguards around retention, minimization, redaction, or user notice. Search responses can contain sensitive user prompts, proprietary research targets, account-linked content, or personal data from cited pages, so indiscriminate retention increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
These instructions direct the agent to merge extracted analytics into result objects, append them to raw JSONL logs, and update manifests, again without warning that both source data and derived profiling data will be persisted. Persisting derived analytics can still expose sensitive business intelligence, search behavior, or personal data in aggregate, especially in a GEO audit context that may involve competitor and brand monitoring.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guidance explicitly tells the agent to write user-provided access logs to a temporary file and persist results to report.json, but it does not require sanitization, minimization, secure file permissions, retention limits, or avoidance of sensitive fields. Access logs often contain personal data, internal paths, IP addresses, query strings, tokens, and sometimes accidentally logged credentials or cookies, so handling them this way can create secondary data exposure through local files, artifacts, or downstream reports.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill routes user queries to multiple external AI providers, but the description does not clearly warn users that their prompts may leave the primary environment and be processed by third parties. This can cause unintended disclosure of confidential business information, customer data, or regulated content, especially because the design emphasizes broad multi-engine dispatch.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.