Back to skill

Security audit

关键词监控系统

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the monitoring and report delivery it advertises, but its privacy disclosures conflict with third-party search and Feishu webhook data flows.

Install only if you are comfortable sending monitored topics, collected items, and generated reports to the configured search provider and Feishu/webhook destination. Avoid sensitive or regulated keywords until the skill clearly documents third-party data flow, retention expectations, and how to disable external pushes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The README states that all data is stored locally and will not be uploaded to third parties, but the same document says the skill uses Tavily API and can push reports to a Feishu webhook. This is a materially misleading privacy claim because monitored keywords, collected content, metadata, and generated reports may be transmitted to external services, causing users to underestimate data-sharing risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description highlights automated collection and daily Feishu pushes but does not clearly warn that monitored data will be sent to third-party services. In a monitoring tool, this omission is security-relevant because users may input sensitive keywords, sources, or lead data without realizing that external providers will receive related content or report payloads.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.