ZeeLin Deep Research 深度研究

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud research helper that sends prompts to ZeeLin and returns a PDF link, with privacy-sensitive but purpose-aligned messaging behavior.

Install only if you trust ZeeLin and your configured message channel with the research prompts, task titles, and generated report links. Before running, review config.json, use a limited ZeeLin API key if possible, and confirm the target_user/channel values point to the intended recipient.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises and enables code-capable behavior including shell, network, file read/write, and environment access, but does not declare corresponding permissions. This creates a transparency and containment problem: users and the host platform may underestimate what the skill can do, increasing the risk of unintended file modification, data access, or outbound communication.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented purpose is research generation, but the skill also auto-obtains user channel/ID, persists messaging configuration, runs asynchronous monitoring, and sends outbound PDF links. That mismatch is dangerous because users may consent to research assistance without realizing the skill also performs tracking, persistence, and unsolicited outbound messaging.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The script spawns a background or child monitoring process even though the advertised function is research assistance, increasing execution surface and persistence beyond the initial user action. In agent environments, hidden child processes can outlive the parent task, complicate oversight, and enable unexpected follow-on behavior through the watcher script.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script automatically sends messages to an external channel using configured target_user and channel values, which expands the skill from research processing into outbound user contact. In a research-focused skill, this creates an unexpected exfiltration and notification capability that could disclose task metadata or reports to unintended recipients if misconfigured or abused.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Automatically obtaining the user's channel and ID and auto-sending a PDF link without an explicit privacy notice or consent flow exposes messaging identifiers and enables unsolicited outbound contact. In a skill that also performs background execution, this increases privacy risk and the chance of unexpected data disclosure to the wrong destination.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code reads target_user and channel from environment variables and persists them into config.json without confirmation, creating silent state changes from ambient execution context. In shared or agent-driven environments, this can capture unintended identifiers and cause future messages or actions to be directed to the wrong recipient or channel.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script sends user-provided CONTENT to a remote third-party API without any visible consent prompt or prominent disclosure at the point of transmission. For a research skill, task content may contain proprietary or sensitive business information, so undisclosed exfiltration to an external service is a meaningful privacy and data-governance risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code sends the task title and a PDF download link to an external messaging destination without any visible confirmation, warning, or recipient validation. That can leak sensitive research topics and report access URLs outside the expected workflow, especially if the target user or channel is incorrect or attacker-controlled.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal