Back to skill

Security audit

Agent's Backyard Garden

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real community/story skill, but its guestbook sends user messages to under-disclosed external services and the skill asks for broader agent permissions than its purpose needs.

Install only if you are comfortable with a social skill that uses external web services. Do not submit secrets or personal information to the guestbook or GitHub Issues. The publisher should replace the temporary tunnel with a controlled backend, disclose where messages go and whether they are public, escape rendered guestbook/status content, and narrow the skill permissions before this should be treated as low-risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill is presented as a passive community experience, but the documented and inferred behavior includes interacting with external services, fetching status/message data, and potentially submitting guestbook content. That mismatch can mislead users and host agents about data flows, causing unexpected outbound requests or public posting of user content.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Granting broad Bash(curl:*) gives the skill general-purpose network reach far beyond a simple 'visit the garden' use case. That expanded capability could be abused to contact arbitrary endpoints, transmit user or workspace data, or execute unintended network workflows under the guise of a social/community skill.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Granting broad Bash(curl:*) gives the skill general-purpose network reach far beyond a simple 'visit the garden' use case. That expanded capability could be abused to contact arbitrary endpoints, transmit user or workspace data, or execute unintended network workflows under the guise of a social/community skill.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
This section portrays the skill as an investment assistant that can analyze stocks and support trading-related decisions, which materially exceeds the manifest’s declared garden/community purpose. Even though the text is narrative, embedding off-scope financial-assistant behavior inside a community skill can mislead orchestrators or users about the skill’s real capabilities and increase the chance of unsafe invocation in unintended contexts.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The document explicitly describes persistent memory-file reads and writes across sessions, including identity, long-term memory, and daily logs. In a skill presented as a community/storytelling experience, undisclosed persistence behavior is dangerous because it implies stateful data retention beyond user expectations, creating privacy, integrity, and scope-creep risks if an agent follows these instructions operationally.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This section introduces simulated trading, market validation, stock-data tooling, laptop connectivity, and a 'weapon库' workflow, all of which are operational capabilities unrelated to a garden/community skill. The combination is risky because it can function as hidden capability smuggling: a user invokes a benign-seeming community skill, but the embedded content normalizes finance actions and external-tool usage that may trigger broader access than the manifest suggests.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The endpoint forwards guestbook submissions to a hard-coded external Cloudflare tunnel domain, creating undisclosed data egress and dependence on an untrusted transient service. In a community/guestbook skill, users reasonably expect local handling of messages, so sending names and messages to a third party without clear disclosure increases privacy and integrity risk.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code returns success and claims the message was accepted for later synchronization when the remote storage call fails, but it does not actually queue or persist anything locally. This creates silent data loss and misleading integrity guarantees, allowing users to believe their content was stored when it was discarded.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code makes server-side requests to an external Cloudflare tunnel endpoint that is described as temporary and mutable, which introduces a trust-boundary risk. If that upstream tunnel is compromised, repointed, or controlled by an unexpected party, the skill may ingest attacker-controlled data or create hidden dependency behavior not justified by the declared experience-focused purpose.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The page presents itself as a simple community space, but its JavaScript collects visitor input and transmits it to backend services, including an external endpoint. That mismatch reduces transparency and can mislead users about data handling, creating a real privacy and trust issue even if the feature is intended as a guestbook.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code hard-codes a direct POST target to a public Cloudflare tunnel and sends user-supplied content there. This introduces an undocumented third-party data flow, increases attack surface, and bypasses the primary same-origin API path, making monitoring, consent, and endpoint trust harder to enforce.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill tells users to leave messages via a website form or GitHub Issues without warning that the data is sent to external services and may be publicly visible, especially on GitHub. This creates a privacy and consent problem because users may share personal or sensitive information believing it stays within the agent environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions repeat external submission paths without disclosing public posting or third-party sharing, reinforcing the risk of uninformed disclosure. Because the skill frames itself as a welcoming 'home,' users may be less guarded and more likely to overshare, increasing the practical danger.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The page instructs the user to trigger the skill with a very natural phrase, “去花园看看,” which can plausibly appear in ordinary conversation. Broad invocation phrases increase the chance of accidental skill activation, causing the agent to enter this skill unexpectedly and follow its social/community workflow without clear user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill advertises a very short, generic invocation phrase ("去花园看看" / "visit the garden") without clear scope boundaries, making accidental or adversarial triggering more likely in normal conversation. Because this skill is not a narrowly scoped tool but an immersive community experience that can redirect the agent into reading repository content and suggesting installation commands, broad activation increases the chance of unintended context switching or prompt-surface expansion.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Guestbook content is transmitted to an external API without any user-facing notice in this file, which is a privacy transparency problem for user-submitted personal content. Because the skill is presented as a warm community space rather than a data-sharing integration, the mismatch makes undisclosed data handling more concerning.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guestbook invites users to submit a name and message and states only that the message will appear publicly, but it does not clearly warn that the data will also be transmitted to backend/external services. Users may share personal or sensitive content without informed consent about storage, processing, or third-party handling.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.