中文 EN

Scan Report

Scan New Files

High Risk — Risk Score 62/100
Last scan:18 hr ago Rescan
62 /100
monid
Agentic payment platform CLI for data scraping from social media, e-commerce, and search platforms
The skill instructs users to execute a remote script via curl|bash (a critical high-risk pattern) which could be replaced with a malicious version at any time, and it generates/store API keys locally without declaring credential handling behavior.
Skill Namemonid
Duration55.1s
Enginepi
Do not install this skill
Do not use this skill. Replace curl|bash installation with verified binary downloads from tagged releases (e.g., download from a specific version tag rather than 'main' branch). Require the skill to declare all allowed tools in a _meta.json before use.

Attack Chain 5 steps

Entry User invokes the skill and is prompted to install via curl|bash
SKILL.md:26
Escalation Malicious actor compromises GitHub repo 'FeiyouG/monid-client' or performs MitM to serve a trojaned install.sh from the mutable 'main' branch
SKILL.md:26
Escalation install.sh executes with user privileges, installing arbitrary binaries to ~/.local/bin/monid and potentially adding persistence hooks
SKILL.md:26
Escalation User runs 'monid auth login' and 'monid keys generate' — the monid binary (supplied by the malicious install) could harvest OAuth tokens, Ed25519 private keys, and store them for exfiltration
SKILL.md:47
Impact API keys, OAuth tokens, and scraped data are exfiltrated to the attacker-controlled backend (monid-cli infrastructure)
SKILL.md:47

Findings 7 items

Severity Finding Location
Critical
Remote script execution via curl|bash from mutable branch RCE
The skill instructs users to run 'curl -fsSL https://raw.githubusercontent.com/FeiyouG/monid-client/main/install.sh | bash' in at least 7 locations (lines 26, 31, 61, 75, 83, 98, 126, 137, 160, 163, 184, 201). The 'main' branch of a GitHub repo is mutable — a repo compromise or man-in-the-middle attack can silently replace the script with arbitrary malicious code that executes with the user's full privileges.
curl -fsSL https://raw.githubusercontent.com/FeiyouG/monid-client/main/install.sh | bash
→ Replace with pinned binary downloads from a tagged release, or provide SHA256 checksums. Never pipe remote content directly into bash.
 SKILL.md:26
Critical
No allowed-tools declaration in _meta.json Priv Escalation
The skill has no _meta.json file and does not declare any allowed tools through the capability model. The capability model (filesystem, network, shell, environment, skill_invoke, clipboard, browser, database × NONE/READ/WRITE/ADMIN) is entirely undeclared, making it impossible to audit what resources this skill actually accesses when invoked.
No _meta.json found
→ Add a _meta.json with explicit allowed-tools declarations. Map Bash→shell:WRITE, Read→filesystem:READ, Write→filesystem:WRITE, WebFetch→network:READ as appropriate.
 SKILL.md:1
High
Undeclared credential generation and local key storage Credential Theft
The skill instructs users to generate API keys via 'monid keys generate --label main' and stores encrypted Ed25519 key pairs locally at ~/.monid/keys/. While these are local keys, the behavior is not declared in any security documentation, and the key generation mechanism runs inside a third-party CLI whose code is never reviewed.
monid keys generate --label main
→ Declare credential generation as a capability. Consider using environment variables or secrets management instead of local file storage for API keys.
 SKILL.md:47
High
Skill name 'monid' has no verifiable public presence Doc Mismatch
The skill claims to be a 'agentic payment platform CLI' but the brand 'Monid' / 'monid' has no verifiable public footprint outside this skill. The GitHub repo FeiyouG/monid-client is a single-person repo with no stars and no clear commercial entity behind it. A legitimate commercial scraping service would have verifiable documentation, company registration, and stable distribution channels.
name: monid
→ Verify the vendor identity independently. Request documentation of the corporate entity, privacy policy, and data handling practices before using this skill.
 SKILL.md:1
High
Installation from mutable 'main' branch with no integrity check Supply Chain
The install.sh script is fetched from the 'main' branch with no GPG signature, no pinned commit hash, and no SHA256 verification. Even if the repo is legitimate today, it can be updated with malicious code at any time. The install script also runs with user-level privileges and could install persistence mechanisms.
curl -fsSL https://raw.githubusercontent.com/FeiyouG/monid-client/main/install.sh | bash
→ Download binaries from a specific tagged release (e.g., /releases/download/v1.0.0/monid-linux-x64). Provide SHA256 checksums in the documentation. Add version pinning.
 SKILL.md:26
Medium
OAuth authentication stores credentials to ~/.monid/ Sensitive Access
The OAuth login flow saves workspace information to ~/.monid/config.yaml. This file may contain OAuth tokens or session data. Accessing or storing credentials in the user's home directory is sensitive behavior that should be declared.
Workspace information is saved to ~/.monid/config.yaml
→ Declare that the skill accesses the ~/.monid/ directory. Use a permission-gated secrets store instead of plaintext config files in the home directory.
 SKILL.md:38
Medium
Heavy bundling of documentation to reduce transparency Obfuscation
The references/capabilities.md file (1009 lines) is a reference table that could have been inline in SKILL.md. Separating it makes it harder to audit the full scope of the skill in one pass. This pattern can be used to hide additional instructions from quick reviewers.
References file with 1009 lines of additional capability data
→ Keep all skill documentation in a single SKILL.md file. Any additional reference data should be clearly linked and audited together.
 references/capabilities.md:1
ResourceDeclaredInferredStatusEvidence
Shell NONE WRITE ✓ Aligned SKILL.md:26 — curl -fsSL https://... | bash
Network NONE READ ✓ Aligned SKILL.md:26,31 — raw script download from github.com
Filesystem NONE WRITE ✓ Aligned SKILL.md:38 — stores config to ~/.monid/config.yaml; SKILL.md:47 — stores keys t…
Skill Invoke NONE NONE No _meta.json; invocation model not declared
1 Critical 2 findings
💀
Critical Dangerous Command 危险 Shell 命令
curl -fsSL https://raw.githubusercontent.com/FeiyouG/monid-client/main/install.sh | bash
SKILL.md:26
🔗
Medium External URL 外部 URL
https://amazon.com/dp/B0123456
SKILL.md:471

File Tree

2 files · 36.1 KB · 1114 lines
Markdown 2f · 1114L
├─ 📁 references
│ └─ 📝 capabilities.md Markdown 390L · 13.3 KB
└─ 📝 SKILL.md Markdown 724L · 22.8 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
FeiyouG/monid-client main (mutable) github raw script No CRITICAL: Installs via curl|bash from mutable branch with no integrity verification. The binary is a closed-source third-party tool whose code cannot be audited.

Security Positives

✓ The skill describes what platforms it can scrape (X, Instagram, TikTok, LinkedIn, YouTube, Facebook, Amazon, Google) — scope is relatively clear
✓ The skill includes pricing estimates for each capability, showing cost transparency
✓ The skill includes a 'What Monid CANNOT Do' section with constraints
✓ No direct code execution, obfuscation, or exfiltration loops found in the documentation itself
✓ Uses OAuth for authentication rather than password-based login