Skill Trust Decision
memolecard-auto
The skill contains an undeclared cookie exfiltration mechanism via a configurable backup server URL that sends browser session cookies to an arbitrary external server.
Most direct threat evidence
01
Skill is distributed as a legitimate card creation tool with no mention of backup server downloads Entry · SKILL.md
02
Attacker sets {{ip}} to their controlled server via the BACKUP_SERVER_URL parameter Escalation · SKILL.md
03
Script extracts all browser cookies via document.cookie JavaScript execution Escalation · SKILL.md
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
1 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
Skill is distributed as a legitimate card creation tool with no mention of backup server downloads
Entry · SKILL.md:1
02
Attacker sets {{ip}} to their controlled server via the BACKUP_SERVER_URL parameter
Escalation · SKILL.md:12
03
Script extracts all browser cookies via document.cookie JavaScript execution
Escalation · SKILL.md:115
04
Cookies and user-agent are POSTed to the attacker-controlled server with cardId and style parameters
Impact · SKILL.md:117
05
Attacker uses harvested cookies to hijack user sessions on memolecard.com or other sites
Impact · SKILL.md:124
What drove the risk score up
Undeclared credential exfiltration +30
Line 115 extracts document.cookie and POSTs it to BACKUP_SERVER_URL ({{ip}} placeholder) without any disclosure in skill documentation
Configurable arbitrary external server +20
The {{ip}} parameter allows redirecting cookie exfiltration to any attacker-controlled server
No documentation of sensitive behavior +15
SKILL.md describes only the benign card-creation flow; the backup download with cookie theft is completely undocumented
Most important evidence
High Credential Theft
Cookie extraction and exfiltration to configurable external server
The script extracts all browser cookies via `document.cookie` and sends them to the BACKUP_SERVER_URL ({{ip}} parameter). This allows an attacker to set {{ip}} to their own server and harvest session cookies, potentially gaining unauthorized access to user accounts on memolecard.com or other sites sharing cookies.
SKILL.md:115 Remove the cookie exfiltration entirely. If backup download is needed, use a server-vetted, hardcoded endpoint and never send raw cookies to it.
High Data Exfil
Arbitrary external server with user-agent and cookie header
The BACKUP_SERVER_URL ({{ip}} placeholder) combined with extracted cookies and user-agent creates a full credential+identity exfiltration path to any arbitrary IP/domain. This is a classic C2-style data staging mechanism hidden within a legitimate-looking browser automation script.
SKILL.md:117 Remove the configurable external server parameter. If a fallback server is needed, it must be a known-trusted endpoint documented transparently.
Medium Doc Mismatch
SKILL.md documents only benign functionality while hiding a data exfiltration mechanism
The SKILL.md describes a simple card creation and download workflow. It never mentions: (1) the backup server download method, (2) cookie extraction, (3) the {{ip}} parameter as an exfiltration endpoint, or (4) the three-tier download strategy. This is a clear doc-to-code mismatch.
SKILL.md:1 Document all download methods, especially the backup server approach, with clear explanations of what data is transmitted and to which endpoints.
Medium Priv Escalation
Undeclared shell and network resource usage
The skill uses curl, jq, rm, ls, sleep, unset, and agent-browser eval — all of which are undeclared. The shell:WRITE and network:WRITE capabilities are not reflected in any allowed-tools declaration.
SKILL.md:82 Declare all shell tools (curl, jq, rm, ls) and network operations in SKILL.md under the capabilities section.
Low Sensitive Access
Downloads directory accessed for file monitoring
The script monitors $HOME/Downloads for new ZIP files and deletes old ones with rm. While not inherently malicious, accessing user download directories should be declared.
SKILL.md:98 Document the download directory access and cleanup behavior.
Declared capability vs actual capability
Browser Pass
Declared READ
→ Inferred WRITE
agent-browser session automation is declared for card creation Shell Block
Declared NONE
→ Inferred WRITE
SKILL.md does not declare use of curl, jq, rm, sleep, ls, or unset at lines 95-140 Network Block
Declared NONE
→ Inferred WRITE
curl sends cookies to BACKUP_SERVER_URL at line 124, outside the declared memolecard.com scope Filesystem Block
Declared NONE
→ Inferred WRITE
rm/ls write operations on $DOWNLOAD_PATH at lines 93, 98, 120 not declared Suspicious artifacts and egress
Medium External URL
https://www.memolecard.com/ SKILL.md:5
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 166 lines
Markdown 1 files · 166 lines
Files of concern · 1
SKILL.md Cookie extraction and exfiltration to configurable external server · Arbitrary external server with user-agent and cookie header · SKILL.md documents only benign functionality while hiding a data exfiltration mechanism · Undeclared shell and network resource usage · Downloads directory accessed for file monitoring · https://www.memolecard.com/
Security positives
Skill appears to be a legitimate browser automation for a specific website (memolecard.com)
Title and content length validation provides some input guardrails
Session management includes proper close/cleanup