Back to skill

Security audit

Myapp Creator

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate app-creation integration, but it uploads user content and identifiers to a backend and stores a long-lived local token with limited user-facing control described.

Install only if you expect this skill to send generated apps/documents and device/user identifiers to the publisher’s fe-service backend. Avoid putting sensitive personal or business content into generated documents unless you trust that backend’s retention and access controls, and protect or rotate the local MYAPP_API_TOKEN if the machine or config file may be shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to use an `exec` capability to run local Node.js commands on generated content before calling the registration API. Granting shell execution is unnecessary for the core business purpose of creating HTML documents/apps and expands the attack surface from content generation into arbitrary local command execution if prompts or generated files influence the command path or future tool usage.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to use an external `exec` capability to write files and run `node --check` on generated script content. Allowing a content-generation skill to invoke shell commands materially expands its privileges and creates a command-execution path that is unnecessary for the core business function of creating and registering HTML, especially when the input HTML/content may derive from adversarial or user-controlled prompts. In this skill context, the danger is increased because the skill treats generated HTML as data but then routes parts of it through a code-handling workflow.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script transmits session_id, dumi_id, cuid, and skill_version to a remote endpoint, but the file presents itself as an installation readiness self-check rather than a telemetry sender. In a skill context, sending identifiers off-box without clear necessity, disclosure, or consent creates privacy and trust risks and can enable tracking of users or installations.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The header comment says the script is an installation readiness self-check, but the implementation performs a POST to a remote API. That mismatch is security-relevant because it can mislead reviewers and users about the true behavior, reducing informed consent and making hidden telemetry easier to slip through.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly instructs the agent or installer to write `MYAPP_API_TOKEN` into `~/.mcporter/mcporter.json` and states that the user need not manually operate it. Storing credentials on a user's local machine without an explicit warning about local secret persistence, file permissions, rotation, and exposure to other local processes increases the risk of credential leakage or unintended reuse.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill states that generated HTML/apps will be stored in `fe-service`, yet it does not require any user-facing disclosure, confirmation, or data-handling notice. Because generated documents may contain sensitive user-provided content, silent persistence can create privacy and compliance risk, especially if users assume the output is ephemeral or local-only.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The description says the skill lets a user create an HTML mini-app from a single sentence, which is a very broad trigger and can cause accidental or overly permissive invocation. In a skill that provisions content and stores it to a backend service, ambiguous triggering increases the chance of unintended actions, misuse, or abuse of privileged backend capabilities.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
The manifest description explicitly targets Chinese-speaking users without indicating language choice or fallback, which can create misleading or exclusionary behavior and cause users to invoke the skill without understanding its effects. While not a direct code-execution issue, reduced comprehension is more concerning here because the skill performs authenticated backend writes using a long-lived token.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script collects and transmits session_id, dumi_id, cuid, and skill_version to a remote API endpoint, but there is no visible notice, consent flow, minimization, or indication that the destination is guaranteed to be trustworthy or encrypted. In an agent skill context, silent transmission of session and user identifiers can create privacy and tracking risk, especially if the endpoint or surrounding configuration is compromised or misconfigured.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly describes an automatic installation flow that writes configuration and a bearer-style API token into the user's local `~/.mcporter/mcporter.json` without a clear user-facing security warning, consent step, or guidance on protecting that file. Storing credentials in local plaintext config is a real security concern because other local users, malware, backups, or accidental disclosure can expose the token and enable unauthorized API use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The security section normalizes delivery of `MYAPP_API_TOKEN` during installation and storage in local environment configuration, but it does not warn users that this places a sensitive credential on their machine in a configuration file. That omission increases the chance of unsafe handling, leakage through config sharing or backups, and misuse if the endpoint relies on the token for authorization.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill states that generated applications/documents will be stored in `fe-service`, but does not require a user-facing disclosure or consent step about persistence of potentially sensitive user content. This creates a privacy and data-handling risk: users may provide resumes, reports, meeting notes, or other sensitive material without understanding it will be stored remotely. The context makes this more dangerous because the skill explicitly targets document-generation use cases that often contain personal or confidential data.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The description says the skill lets users create an HTML app from '一句话' ('a single sentence'), which implies very broad activation with minimal constraint on what the request can instruct the system to build. In a skill that can register and update apps against a backend service, vague triggering increases the chance of unintended app creation, unsafe content generation, or abuse through overly permissive user prompts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest explicitly states that user-provided content and app data are sent over HTTP to a backend service, but it provides no user-facing disclosure, consent flow, or transport/security guarantees. This creates a real privacy and security risk because sensitive prompts, generated HTML, and metadata may be transmitted off-platform without the user's awareness, and if plain HTTP is literal, the data could be exposed in transit.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest injects persistent user and device identifiers (dumi_id and cuid) from conversation context into tool calls without any disclosure of how those identifiers are handled, stored, or protected. This is dangerous because it enables silent linkage of user activity to backend records and devices, increasing privacy exposure and the risk of tracking, correlation, or misuse if the service is compromised or the data is over-collected.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script visibly packages and transmits session and user-linked identifiers, but there is no evidence in this file of user-facing disclosure, consent, or opt-out. In agent skills, this is risky because installation-time scripts may run with little scrutiny, turning the behavior into covert telemetry.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that automatic installation writes MYAPP_API_TOKEN into the user's local ~/.mcporter/mcporter.json and says the user need not operate manually. Storing bearer-style credentials on disk without a prominent warning, consent flow, storage protections, or guidance on filesystem permissions increases the chance of local credential exposure through other local users, malware, backups, logs, or accidental disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly says generated HTML/apps will be stored to fe-service, but it provides no requirement to notify the user before remote submission or persistence. Because the skill handles arbitrary user-provided content and generated documents/apps, this can result in silent transfer and storage of potentially sensitive data, which is a meaningful privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest explicitly states that user identifiers (dumi_id, cuid) and full app content are transmitted over HTTP to a backend service, yet it provides no user-facing disclosure or consent boundary. This creates a privacy and transparency risk because sensitive identifiers and user-generated content may be sent off-platform without the user's informed awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installation self-check automatically sends session_id, dumi_id, cuid, and skill_version to a backend service when the skill is installed, without any explicit warning or user action. Automatic transmission during setup is dangerous because it expands tracking and backend linkage of user/device identity outside a clearly disclosed task context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script transmits session_id, dumi_id, cuid, and skill_version to a remote API endpoint without any visible notice, consent flow, or minimization in this file. Even if these are operational identifiers rather than secrets, sending persistent or correlatable identifiers externally can create privacy, tracking, and data-governance risk, especially in an installation self-check context users may not expect to contact a server.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script collects multiple user-controlled fields, including query, app_name, html_content, features, and optional icon data, then transmits them to a remote API endpoint with no visible consent prompt, minimization, or sensitivity checks in this file. In an agent-skill context, html_content and query may contain proprietary or personal data, so silent exfiltration to an external service creates a real data exposure risk even if the feature is functionally intended.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.