Back to skill

Security audit

Huo15 Marketingforce Website

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed website-admin skill, but it handles live browser session tokens and broad CMS/admin powers that can expose customer data or change/delete public site content.

Install only for a trusted operator who is authorized to administer the MarketingForce site. Treat MF_X_TOKEN and MF_ADMIN_TOKEN like passwords, prefer short-lived or revocable tokens, avoid committing scripts/.env, confirm every write/delete/publish action, and avoid running inquiry/member commands unless customer data exposure in the agent chat and logs is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly states that credentials are stored in `scripts/.env` and that it uses a Python client to call external CMS APIs, but the skill manifest does not declare corresponding permissions. This creates a capability/permission mismatch that can hide access to secrets and outbound network actions from reviewers and policy controls, increasing the risk of unauthorized content changes or data exfiltration.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This client exposes administrative/system capabilities such as system logs, backups, diagnostics, plugins, mail configuration, and other non-content-management endpoints far beyond simple website editing. In an agent-skill context, that widened scope increases the blast radius of prompt misuse or overbroad invocation, enabling access to sensitive operational data and privileged settings.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill can retrieve and print inquiry records containing personal data such as names, phone numbers, email addresses, and message content, as well as member data elsewhere in the file. For a website-management skill, this creates unnecessary exposure of PII to the agent runtime and any downstream logs or chat transcripts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs operators to retrieve live authentication tokens from browser cookies and store them in a local .env file, but it does not clearly warn that these tokens are equivalent to active session credentials and can grant broad administrative access. In the context of a website-admin skill covering hundreds of CMS endpoints, compromise of these tokens could enable unauthorized content changes, data access, and account takeover-like abuse of the managed site.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are very broad, including generic terms like '编辑官网', 'SEO优化', and even opaque tokens such as 'siteadmin' and 'uwtsd', which may cause the skill to activate in contexts broader than intended. Overbroad activation increases the chance that a user request is routed to a highly privileged website-administration skill when a lower-risk skill would suffice.

Missing User Warnings

High
Confidence
99% confidence
Finding
The reference documents authentication endpoints that place `password` in URL query parameters for SMS send/verify operations. Query parameters are routinely exposed in browser history, intermediary proxies, reverse-proxy logs, analytics, referrer leaks, and server access logs, so even if HTTPS is used in transit, the secret can be broadly persisted outside the intended authentication path.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The delete-article command performs a destructive action immediately with only an ID argument and no interactive confirmation, dry-run, or secondary safeguard. In an agent setting, misinterpretation, prompt injection, or user ambiguity could cause irreversible content deletion.

Credential Access

High
Category
Privilege Escalation
Content
import json, os, sys, urllib.request, urllib.error, urllib.parse

SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
ENV_FILE = os.path.join(SCRIPT_DIR, ".env")

CMS_BASE = "https://api.71360.com/api/app/site-admin-api/admin_cms"
ADMIN_BASE = "https://api.71360.com/api/app/site-admin-api/admin"
Confidence
87% confidence
Finding
.env"

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.