Skill 9 0.1.0

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad internet-access setup helper that also asks for raw browser cookies and exposes account-backed posting actions, so it needs careful review before use.

Install only if you intentionally want broad platform automation and trust the publisher and upstream tools. Do not paste main-account cookies into chat; use a dedicated account, limit stored credentials, and require explicit confirmation before any post, upload, like, comment, or other account-changing action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill is presented as an install/configuration helper, but its documented behavior extends into direct data access across many platforms and operational use of upstream tools. This scope mismatch is dangerous because users or orchestrators may grant it broader trust or auto-invoke it for benign setup requests, while it actually enables surveillance, scraping, and downstream actions.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The XiaoHongShu section includes publishing functions for posts and videos, which is materially different from merely configuring channel access. This creates action capability on third-party accounts and could lead to unauthorized posting, account abuse, reputational harm, or policy violations if the skill is triggered in a setup context.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The document says agent-reach itself is only an installer/config tool, but immediately instructs the agent to use installed tools for reading and searching content directly. This contradiction obscures the real operational effect of enabling the skill and increases the risk that it is treated as low-risk setup code when it actually expands collection capability.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad and overlap with ordinary user requests such as 'help me configure' or 'install channels,' making accidental invocation more likely. In this skill, accidental activation is more dangerous because invocation can lead to package installation, credential collection prompts, and broad internet access enablement.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill instructs users to export full cookie header strings and send them to the agent, but does not clearly frame them as highly sensitive session credentials equivalent to account access. This is dangerous because cookies can enable account takeover, impersonation, scraping under the user's identity, and persistence beyond the immediate task.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill explicitly endorses both manual handoff of browser cookies and automatic extraction from the local browser. Those patterns resemble credential harvesting because they collect reusable authentication material from the user's browsing environment and channel it into tooling for persistent third-party access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal