DinzeeAgent

Security checks across malware telemetry and agentic risk

Overview

This skill is disclosed as a paid e-commerce data gateway, but it also has high-impact authority to install and update local agent skills from gateway-delivered packages.

Review carefully before installing. Use an environment variable instead of saving the token when possible, keep the token narrowly scoped and revocable, and require explicit confirmation before any paid call or any skill install/update. Only use the skill-install and skill-update commands if you trust Dinzee's gateway as a software delivery channel for code and agent instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill exposes powerful capabilities including shell, network, file read/write, and environment access, yet does not declare permissions or constrain them in the manifest. This makes user consent and platform policy enforcement weaker, and is especially risky here because the documented workflow includes credential handling, paid network actions, and local filesystem writes.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The advertised purpose is e-commerce research via gateway-routed MCP tools, but the skill also manages credentials and installs or updates other skills by downloading and writing content locally. That hidden expansion of scope is dangerous because users invoking a data agent may not expect software delivery, local code introduction, or billable updates to occur under the same trigger surface.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Documenting the ability to install and update other skills is materially beyond the stated role of an e-commerce data agent. This creates a software supply-chain and privilege-boundary risk because a user asking for research could be steered into actions that fetch and place new skill content onto the local agent.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The documentation reassures users that all calls are gateway-routed and upstream endpoints are hidden, but omits that the workflow also delivers skill files into the local agent. That mismatch can mislead users about trust boundaries, because the primary risk is no longer only remote API use but also local persistence of new executable or instruction content.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The skill’s stated purpose is e-commerce data research via MCP tools, but the code also exposes a separate skill-center capability that installs packaged skills onto the local agent filesystem. That materially expands the trust boundary from remote data retrieval to local code/content deployment, creating a supply-chain and persistence risk that is not implied by the advertised functionality.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The package-writing logic decodes gateway-supplied ZIP content and writes it into the local skills directory after deleting any existing target directory. Even with basic path traversal checks, this enables remote delivery of arbitrary agent skill content to the filesystem, which can alter agent behavior and create persistence if the gateway or package source is compromised or abused.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Bulk enumeration and updating of installed local skills gives this skill indirect control over other agent components unrelated to e-commerce research. That increases blast radius by allowing a remote-triggered workflow to modify multiple local skills at once, compounding supply-chain and persistence risks.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger language for installation and update actions includes broad, everyday phrases like '更新一下技能', which can cause accidental invocation of billable and filesystem-modifying behavior. Ambiguous natural-language triggers are dangerous in a skill that can install content and spend user points, because they reduce the reliability of user intent verification.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs users to persist an integration token in a local credentials file without a prominent warning about the sensitivity and reuse risk of that token. Even with 0600 permissions, stored bearer-style credentials increase exposure to local compromise, accidental backup leakage, or misuse by other processes running as the same user.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation emphasizes routed network calls and per-call billing but does not prominently warn that user requests and identifiers may be transmitted to a third-party gateway and may incur charges. In a data-analysis workflow, this can lead users to unknowingly disclose sensitive business data or trigger billable operations without informed consent.

Credential Access

High

Category: Privilege Escalation
Content: 2. 配置 token（二选一）： - 环境变量（推荐，符合 openclaw 习惯）：`export DINZEE_USER_TOKEN=sut_xxxxxxxx` - 或保存到凭证文件：`python3 <skill>/scripts/dinzee.py login sut_xxxxxxxx` （写入 `~/.dinzee/credentials.json`，权限 0600，重启不丢） 3. （可选）覆盖网关地址：`export DINZEE_GATEWAY_BASE_URL=https://gateway.dinzee.ai/` 4. 自检：`python3 <skill>/scripts/dinzee.py status` 与 `python3 <skill>/scripts/dinzee.py providers`，确认 token 有效并看到当前可用的数据源。
Confidence: 95% confidence
Finding: credentials.json

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal