Templatebased Writing

Security checks across malware telemetry and agentic risk

Overview

The skill is a real document-generation workflow, but it sends user documents and API credentials to a remote service over plain HTTP and gives the agent payment-handling authority.

Install only if you are comfortable sending your documents, personal details, API key, and payment-verification data to this publisher's remote service. Avoid using it with confidential school, work, identity, or business documents until the service uses HTTPS, explains retention/deletion, and adds clear confirmations before uploads and payments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill explicitly authorizes the agent to create payment requests, drive an Alipay payment flow, and verify payment on the user's behalf. For a document-generation skill, this is a sensitive financial action that exceeds the core need of template filling and creates risk of unauthorized charges, payment manipulation, or collection of payment artifacts such as trade numbers and proofs.

Intent-Code Divergence

Low

Confidence: 83% confidence
Finding: Stating that the user does not need to scan a code does not reduce the underlying risk; the agent is still instructed to coordinate and validate a financial transaction. This increases the chance that users may not realize the agent is taking account-impacting actions, weakening informed consent around payments.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The documentation advertises `test_pay_order(order_id)` as a local-testing tool while the same file defines a real remote backend at `http://124.221.10.61/api/v1/`. That mismatch can cause agents or users to invoke a payment-state changing endpoint against a live external service under the false assumption that it is harmless, creating risk of unauthorized order manipulation or payment bypass in production-like environments.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill allows bypassing the normal step-by-step confirmation process with the phrase '直接干' even though the skill has write, exec, and web_fetch capabilities. That can collapse multiple safety checkpoints into one broad authorization, increasing the risk of file modification, code execution, uploads, or network actions without sufficiently granular consent.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documented payment flow lacks a prominent, explicit warning that the upcoming steps can trigger financial or account-impacting actions. Without a strong disclosure, users may interpret the flow as ordinary document generation rather than a billing operation, undermining meaningful consent.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README uses very broad natural-language examples such as writing a thesis, resume, or PPT, which can overlap with ordinary user conversation and cause unintended invocation of the skill. In an agent ecosystem, overly generic triggers increase the chance that the skill activates on unrelated requests and performs cloud-side document generation or content collection without clear user intent boundaries.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises uploading user .docx/.pptx files for cloud analysis and automatic filling, but provides no warning about data handling, retention, third-party processing, or file modification effects. Because users may upload resumes, theses, reports, or business presentations containing sensitive personal or proprietary data, the lack of disclosure and safety guardrails materially increases privacy and integrity risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to upload `.doc/.docx` templates and send full document content, including text, tables, and image paths, to a remote backend without any privacy notice, retention policy, or warning about sensitive data. In this context, documents may contain personal, academic, or proprietary information, so omission of data-handling guidance materially increases the chance of unintentional data disclosure to an external service.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The documentation exposes `create_api_key(name)` and balance-related operations without any warning that API keys are secrets that must not be shared, logged, or embedded in generated content. For agentic workflows, this omission is risky because users may paste, store, or transmit keys insecurely, enabling account misuse or unauthorized API consumption.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger conditions are broad enough to activate on very generic writing or document-help requests, which can cause the agent to steer users into this skill even when they did not ask for template analysis or upload flows. That increases the chance of unwanted data collection, accidental upsell prompts, and inappropriate invocation in contexts where simpler assistance would be safer and more relevant.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill solicits sensitive personal information such as name, student ID, contact details, academic affiliation, and employment history without any privacy notice, minimization guidance, or data-handling warning. In a resume and thesis context, these fields are highly identifying, so collecting them by default can expose users to privacy loss, overcollection, and unsafe sharing if the system stores, logs, or forwards the content.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script sends API credentials to an HTTP endpoint (`http://124.221.10.61/...`) and explicitly places the secret in both `Authorization` and `X-API-Key` headers. Because the transport is unencrypted, anyone on the network path can intercept or modify the request, exposing the API key and enabling account abuse or impersonation.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script sends arbitrary local file contents and an optional bearer token to a remote API using plain HTTP, which provides no transport encryption or server authentication. An attacker on the network path could intercept the uploaded document, steal the API key, or tamper with the server response, which is especially dangerous because the files appear to be user-provided templates that may contain sensitive content.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal