Back to skill

Security audit

Sticker Manager

Security checks across malware telemetry and agentic risk

Overview

This sticker tool mostly matches its purpose, but it needs review because some file and data-handling paths are not safely scoped.

Install only with supervision. Avoid path-like names for delete or rename, do not pass sensitive files as chat history, avoid untrusted or internal URLs, and treat auto-tag/context recommendation output as potentially sensitive because it may include local paths and message text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The manifest documents substantial capabilities including shell execution, filesystem access, environment-variable use, and network retrieval, but does not declare permissions or clearly constrain them. This creates a transparency and policy-enforcement gap: an agent or reviewer may assume a safer local-only skill while the documented workflows can read/write files and reach external URLs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose emphasizes local sticker management, but the documented behavior expands into remote downloading, page scraping, URL validation, chat-history analysis, model-planning, and an unrelated sensitive-information scan. That mismatch is dangerous because it hides materially broader data access and network behavior than a user would reasonably expect from the description, increasing the risk of unintended exfiltration, privacy issues, or unsafe invocation.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README documents remote URL fetching and webpage scraping capabilities that materially expand the skill from local sticker-library management into network-enabled source discovery. That increases attack surface, creates SSRF/privacy risks, and can mislead reviewers or users who expect only local file operations based on the manifest description.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The README introduces visual-model auto-tagging and model-planning behavior that is not reflected in the stated local sticker-management scope. Hidden or under-disclosed model invocation can expose local image contents to external services, create unexpected data flows, and cause agents to grant broader permissions than intended.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is presented as managing a local sticker library, yet it also discovers and can fetch remote URLs and pages. This broadens the trust boundary from local media management to external network interaction, which can expose metadata, contact untrusted hosts, and import malicious or inappropriate content without a clearly disclosed security model.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Web discovery and retrieval are higher-risk behaviors than ordinary local library operations because they introduce untrusted remote input, external requests, and content scraping. In the context of a sticker manager, these features are only loosely justified and therefore more likely to surprise users or be abused to trigger network activity outside their expectations.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The --symlink option allows the library to contain links to files anywhere on the local filesystem rather than self-contained imported copies. In a sticker-management context this can unintentionally expose arbitrary external files through later library operations, create confusing trust boundaries, and make the sticker library depend on files outside the managed directory.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The collector fetches arbitrary remote URLs and scrapes Giphy HTML even though the skill is framed as local sticker library management. This expands the trust boundary to the network, enabling unexpected outbound requests, privacy leakage, and server-side request behavior against attacker-controlled URLs without clear user consent or restriction.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The script builds a semantic vision-analysis batch for every collected sticker, including file paths and descriptive prompts, which goes beyond basic sticker inventory management. In an agent setting this can cause unnecessary exposure of local file metadata and image contents to downstream analysis components or external models, creating an unexpected data disclosure channel.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The `context-recommend` action accepts an arbitrary path, checks `os.path.exists`, and reads the file contents wholesale before attempting to parse it as chat history. That permits this sticker-management skill to access unrelated local files outside the sticker library, which exceeds the declared scope and can expose sensitive data if an agent passes a user-controlled path.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
These functions add conversation-analysis capabilities (`analyze_chat_history`, `context_recommend`) to a skill described as sticker library management. Scope expansion matters because it causes the tool to process conversational content and emit analysis payloads for model consumption, creating a new data-handling surface that users would not reasonably expect from the manifest.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly documents features that analyze chat history and fetch remote URLs, but it does not clearly warn users that these actions may transmit private conversation data or initiate network requests to third-party systems. In an agent-skill context, missing privacy and data-flow warnings can cause users or downstream agents to invoke these features without understanding the confidentiality and metadata exposure risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README describes analyzing chat history for context-aware sticker recommendations without a clear privacy warning, consent requirement, or data-handling boundary. Chat history may contain sensitive personal or business information, and processing it for recommendations can expose or retain more data than users expect.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Broad trigger phrases like 'save this' or 'store this' increase the chance of accidental invocation in ordinary conversation, especially in an agent setting where recent media/history may be acted on automatically. Because the skill can write files and operate on chat/media history, unintended activation could save content the user did not mean to retain.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill includes rename, delete, clean, and import operations that modify or remove files, but the documentation does not emphasize destructive consequences or require confirmation. In a file-management context, that omission raises the risk of accidental data loss, especially when paired with broad natural-language triggers or automated agent execution.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation describes URL collection and remote discovery, including optional fetching, without a clear privacy or network disclosure. Users may not realize the skill will contact external servers, revealing IP/addressing metadata and potentially processing untrusted remote content under the guise of a local sticker tool.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs network downloads and writes files to disk as part of normal execution, but provides no meaningful pre-action warning or confirmation to the user. In an agent workflow, this can lead to silent filesystem modification and unanticipated data transfer to remote hosts, increasing the risk of misuse, privacy issues, and unsafe automation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code prints recent chat message previews and emits `__ANALYZE_HISTORY__` / `__CONTEXT_RECOMMEND__` payloads containing conversation text and derived context, without any disclosure warning or consent check. In an agent setting, that can leak private conversation content into logs, downstream tools, or external model-processing layers, making the issue more serious than ordinary console output.

Missing User Warnings

Low
Confidence
82% confidence
Finding
`auto_tag_file` prints and emits a JSON object containing the full expanded image path and filename for external processing. While lower severity than chat disclosure, filesystem paths can reveal usernames, directory structure, project names, or other sensitive local context, and the user is not warned that this metadata will be exposed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.obfuscated_code

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
tests/test_collect.py:82