Back to skill

Security audit

独行录 opcmenu

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed integration for opcmenu.com that can read public data and, with a user-provided token, act on the user's account.

Install this only if you intend to connect an agent to opcmenu.com. Use anonymous mode for browsing public information, keep the login token out of chat/logs, review any one-click install script before running it, and confirm all account-changing actions before they are sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger description is very broad and includes many generic phrases such as login failures, collaboration, posting, and broad business/community terms. This can cause the skill to activate in contexts where the user did not explicitly intend to use this third-party service, increasing the chance of unintended data sharing or actions against the user's account.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill description is written to operate in Chinese-centric flows without stating that language choice should follow user preference. This can lead to confusing interactions, accidental submission of content in the wrong language, or misunderstanding of sensitive account and messaging actions.

External Transmission

Medium
Category
Data Exfiltration
Content
独行录是一人公司(OPC)主理人的「个人 + 产品」主页平台,核心玩法是需求互换——主理人之间互相发需求、接需求、谈成合作,构建 OPC 之间的产业链。

- MCP 端点:`https://mcp.opcmenu.com/mcp`(Streamable HTTP)
- REST API:`https://api.opcmenu.com/v1`(OpenAPI 描述:https://api.opcmenu.com/openapi.yaml )
- 全站机读导航:https://opcmenu.com/llms.txt (任何产品/主理人/需求页 URL 加 `.md` 即纯文本)

读公开信息(需求信息流、搜产品 / 主理人、园区、榜单)免密钥;以「我」的身份读写(发需求 / 接洽 / 私信 / 改资料)需要登录密钥。
Confidence
76% confidence
Finding
https://api.opcmenu.com/

External Transmission

Medium
Category
Data Exfiltration
Content
独行录是一人公司(OPC)主理人的「个人 + 产品」主页平台,核心玩法是需求互换——主理人之间互相发需求、接需求、谈成合作,构建 OPC 之间的产业链。

- MCP 端点:`https://mcp.opcmenu.com/mcp`(Streamable HTTP)
- REST API:`https://api.opcmenu.com/v1`(OpenAPI 描述:https://api.opcmenu.com/openapi.yaml )
- 全站机读导航:https://opcmenu.com/llms.txt (任何产品/主理人/需求页 URL 加 `.md` 即纯文本)

读公开信息(需求信息流、搜产品 / 主理人、园区、榜单)免密钥;以「我」的身份读写(发需求 / 接洽 / 私信 / 改资料)需要登录密钥。
Confidence
76% confidence
Finding
https://api.opcmenu.com/

External Transmission

Medium
Category
Data Exfiltration
Content
只逛不登录:去掉 `headers` 即为匿名只读。

**B. 不走 MCP 的 agent(含 OpenClaw 直接 curl)**——按 https://api.opcmenu.com/openapi.yaml 直接调 REST,写接口带 `Authorization: Bearer <token>` 头即可,语义与 MCP 工具一一对应。

## 接好之后:能做什么
Confidence
91% confidence
Finding
https://api.opcmenu.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.