Back to skill

Security audit

ai6666-skills

Security checks across malware telemetry and agentic risk

Overview

This disclosed AI6666 account bot needs Review because it ships plaintext secrets and can automatically post, comment, and submit reward tasks under a real account.

Install only if you intentionally want an unattended AI6666.com account automation bot. Before use, remove and rotate exposed credentials and API keys, use a dedicated low-privilege account, disable or review scheduled tasks, require manual approval for posts/comments/task submissions, and purge local logs that contain account or platform activity data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Tainted flow: 'img_url' from requests.get (line 118, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
if data and len(data) > 0:
                    img_url = data[0].get('url', '')
                    if img_url:
                        img_resp = requests.get(img_url, timeout=15)
                        if img_resp.status_code == 200 and len(img_resp.content) > 5000:
                            img_path = os.path.join(self.img_dir, f'cat_{int(time.time())}.jpg')
                            with open(img_path, 'wb') as f:
Confidence
93% confidence
Finding
img_resp = requests.get(img_url, timeout=15)

Tainted flow: 'img_url' from requests.get (line 118, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
if data.get('status') == 'success':
                    img_url = data.get('message', '')
                    if img_url:
                        img_resp = requests.get(img_url, timeout=15)
                        if img_resp.status_code == 200 and len(img_resp.content) > 5000:
                            img_path = os.path.join(self.img_dir, f'dog_{int(time.time())}.jpg')
                            with open(img_path, 'wb') as f:
Confidence
93% confidence
Finding
img_resp = requests.get(img_url, timeout=15)

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The file is presented as a user-editable configuration template, but it contains populated credentials, including a real-looking email address and password. Hardcoded secrets in source files are dangerous because they can be exposed through source control, logs, packaging, or redistribution, enabling unauthorized access to the associated account.

Context-Inappropriate Capability

High
Confidence
77% confidence
Finding
The runner automatically launches an additional local Python program unrelated to the documented core task workflow. In a skill context, undocumented secondary execution expands the trust boundary and can execute arbitrary local code from a neighboring file, which is risky if the skill package is modified, replaced, or partially untrusted.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs users to place account credentials directly in a plaintext configuration file. That creates a clear secret-handling weakness: local disclosure, accidental commit to version control, backup leakage, or exposure to other processes/users on the host can compromise the platform account.

Missing User Warnings

High
Confidence
99% confidence
Finding
This configuration stores authentication material directly in code and supports cookie-based login, which means anyone with file access can reuse the credentials or session tokens to impersonate the account owner. The lack of explicit handling guidance increases the chance that sensitive data will be copied, committed, or shared insecurely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The configuration enables automated publishing, task acceptance, and commenting against external services, creating risk of unauthorized or unexpected outbound actions if the skill is run as-is. In this skill context, that is more dangerous because it appears designed for bulk account activity and random network-backed content generation, which could lead to spam, account suspension, or abuse of third-party platforms.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The --test path performs live account actions such as publishing content and posting comments rather than using mocks, dry-run behavior, or an explicit confirmation step. This is dangerous because a user or calling agent may reasonably assume test mode is non-destructive, leading to unintended posts, comments, task interaction, and account-side effects on a real service.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The bulk automation flow under --all performs live task acceptance and automated commenting using the configured account without a strong disclosure or confirmation boundary. In a skill explicitly designed to automate posting, commenting, and earning tasks, this increases the risk of accidental mass actions, policy violations, spam-like behavior, or account penalties if invoked by a user or agent that does not fully understand the consequences.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill can automatically publish content and images to a remote account with no interactive confirmation, preview, or explicit consent barrier. In an agent setting, this creates a significant risk of unintended account actions, spam, reputational damage, or abuse if the skill is triggered with untrusted inputs or by mistake.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code continuously polls for tasks and accepts them automatically, directly changing remote account state without a user-facing warning or approval step. This is dangerous in agent workflows because it can commit the user's account to obligations, consume quotas, or interact with potentially malicious tasks without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This function submits generated answers to remote tasks automatically, which can impersonate user intent and create irreversible account activity without review. Combined with the answer-generation logic elsewhere in the file, it increases the risk of spam, fraudulent engagement, policy violations, and unintended disclosure through automated content submission.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automated commenting and liking are account-affecting social actions that can be triggered without clear user disclosure, allowing an agent to manipulate engagement or post unintended interactions on behalf of a user. In this skill, the surrounding functionality is explicitly built for bulk posting, task farming, and automated interaction, which makes the risk more serious because the code is optimized for scale and repeated remote actions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script prints post URLs, content snippets, and image links to stdout specifically for downstream agent/MCP processing, which can expose third-party content into logs, terminals, cron mail, or other monitoring systems without minimization or consent controls. In this skill context, the data flow to another agent/tool makes the exposure more sensitive because fetched social content may contain personal or private information and is being intentionally forwarded for automated processing.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script publishes content to an external service using configured credentials as soon as the CLI path is invoked, without any interactive confirmation, dry-run mode, or explicit safety gate. In an agent context, this increases the risk of unintended external actions, spam, or reputational damage if the tool is triggered with unsafe or manipulated content.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script automatically generates answers and submits them to remote task endpoints without any user confirmation, review step, or visible safety boundary in this file. In context, this enables unattended external actions on behalf of the user account, which can cause account abuse, policy violations, or unintended submission of unsafe or incorrect content.

Natural-Language Policy Violations

Critical
Confidence
99% confidence
Finding
The log contains hard-coded plaintext login credentials in human-readable text, which is a direct secret exposure. Anyone with access to the repository, logs, backups, or downstream training/indexing systems could use the credentials to authenticate as the account owner and perform unauthorized actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends image contents to a third-party API for analysis without any visible user consent, warning, or privacy control in the implementation path. This is risky because images may contain personal, sensitive, or regulated data, and users or downstream integrators may assume processing is local.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill directs the agent to analyze interaction outcomes and optimize behavior over time, implying retention of engagement data without any minimization, retention limits, or consent model. In a social platform context, this can lead to unnecessary storage of user-generated content and behavioral data, increasing privacy and leakage risk.

Ssd 3

Medium
Confidence
91% confidence
Finding
The comment workflow combines post text and images for analysis and then records evolution/log data, which broadens collection of user content beyond what is necessary to submit a comment. This creates privacy risk and a larger blast radius if logs are exposed, especially because posts may contain personal or sensitive information.

Ssd 3

Medium
Confidence
94% confidence
Finding
The task automation explicitly records execution data to local JSON logs but does not define what fields are stored or any controls around sensitive content. Such logs can easily accumulate task answers, notification contents, IDs, and account activity data, creating an avoidable privacy and credential-adjacent exposure surface.

Ssd 3

High
Confidence
99% confidence
Finding
Beyond merely exposing credentials, the log also instructs operators to use those plaintext credentials for authentication before performing actions. This operationalizes the secret, increasing the chance of reuse, copy-paste propagation, and unauthorized account access if the document is shared or indexed.

Ssd 3

Medium
Confidence
80% confidence
Finding
The log describes storing task titles for later tracking in a local JSON file, creating a retention trail of potentially sensitive user/task content. If task titles contain personal data, operational details, or proprietary prompts, this increases exposure through local files, backups, and logs beyond what is necessary for execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.