FMTWiki — 肠菌移植专业知识库

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for maintaining FMTWiki, but it needs review because it tells users to put a real AI API key into a Vite frontend environment variable that may be exposed in the public app.

Install only if you maintain this FMTWiki project. Do not use a real MiniMax/GLM key in VITE_GLM_API_KEY for a public frontend; route AI calls through a backend or secret store, restrict and rotate keys, and require human review before publishing medical-content updates or enabling scheduled trackers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs operators to place an API key in a `.env` file using a `VITE_` prefix, which in Vite is intended for client-side exposure. Because the project is a web app and the document does not warn against committing or exposing the key, this creates a real risk of credential leakage in source control or bundled frontend code, enabling unauthorized use of the MiniMax account.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal