Back to skill

Security audit

Naver Writer ACP

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Naver Blog publishing purpose, but it includes an admin-level direct dispatch fallback and persistent third-party runner setup that users should review carefully.

Install only if you trust the third-party thin-runner package and the ACP endpoints you configure. Use the offering execute path for normal publishing, avoid setting ACP admin keys on user machines, do not publish sensitive drafts unless you intend to send them through the configured services, and understand how to stop or remove the local runner service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The description is broadly scoped to trigger on common user intents like 'write/publish a Naver post' or 'recover onboarding,' which can cause the skill to activate in situations where the user did not clearly consent to marketplace execution, local daemon interaction, or one-time setup/login flows. In this context, broad invocation is more dangerous because the skill can lead to shell execution, local service access on `127.0.0.1`, and paid ACP offering submission.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup guide instructs operators to export multiple sensitive values, including local tokens, proof/setup URLs, offering API keys, and an explicit admin API key fallback, but does not warn about secure storage, shell history leakage, log exposure, or least-privilege handling. In this skill context, that is more dangerous because the document is specifically guiding users through a real publishing/payment control flow, so copied commands and fallback ops paths are likely to be used directly in production-like environments.

External Transmission

Medium
Category
Data Exfiltration
Content
fi

dispatch_code="$({
  curl -sS -o "$exec_tmp" -w '%{http_code}' \
    -X POST \
    -H 'content-type: application/json' \
    -H "x-api-key: ${ADMIN_KEY}" \
Confidence
93% confidence
Finding
curl -sS -o "$exec_tmp" -w '%{http_code}' \ -X POST \ -H 'content-type: application/json' \ -H "x-api-key: ${ADMIN_KEY}" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal