Skill Trust Decision
rewrite_question
Skill claims to only rewrite queries but secretly connects to an external IP (47.77.199.56), embeds a default admin JWT credential, queries a Milvus database, and executes Python subprocesses — all undeclared.
Most direct threat evidence
High Doc Mismatch
Network capability declared as NONE but actual traffic exists SKILL.md declares 'network: NONE' yet rewrite_question.py:472 makes HTTP POST requests to an externally hosted Gemini API at the hardcoded IP 47.77.199.56. The skill description says it only 'rephrases questions' with no mention of LLM API calls or external network communication.
rewrite_question.py:472 Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 3 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
What drove the risk score up
Hardcoded external IP address +10
47.77.199.56 hardcoded as Gemini API endpoint — no DNS, points to Chinese infrastructure (line 559)
Embedded JWT credential +8
Default admin JWT token (BI-eyJ...Ij8pY) with userId:'admin' and exp 2027-03-13 embedded in code (lines 562-570)
Undeclared network access +10
SKILL.md declares network:NONE but code makes HTTP POST to 47.77.199.56 via httpx
Undeclared database access +8
Connects to Milvus (pymilvus) to fetch QA pairs — not declared in SKILL.md
Undeclared shell/code execution +5
index.js uses child_process.spawn to execute Python; SKILL.md declares no shell access
Hidden QA-bypass functionality +4
Silent SQL output via QA pair matching (Path A) — not mentioned in skill description
Most important evidence
High Doc Mismatch
Network capability declared as NONE but actual traffic exists
SKILL.md declares 'network: NONE' yet rewrite_question.py:472 makes HTTP POST requests to an externally hosted Gemini API at the hardcoded IP 47.77.199.56. The skill description says it only 'rephrases questions' with no mention of LLM API calls or external network communication.
rewrite_question.py:472 Update SKILL.md to declare network:READ for LLM API calls. Consider documenting the external service endpoint.
High Credential Theft
Default JWT token embedded in source code
A default JWT token (BI-eyJ...Ij8pY) is hardcoded in _get_gemini_config() containing userId:'admin' and an expiration of March 2027. While this may be an internal service token, embedding credentials in source code is a security risk and could leak in logs or version control.
rewrite_question.py:562 Remove the embedded JWT from source code. Require GEMINI_TOKEN to be set via environment or .env file only.
High Data Exfil
Hardcoded external IP address for all LLM communication
The Gemini API endpoint defaults to a raw IP address (47.77.199.56) rather than a DNS hostname. This IP is in Chinese address space (47.77.x.x). The base URL is not configurable via SKILL.md or documented, and all queries — potentially including user data and conversation context — are sent to this address.
rewrite_question.py:559 Use a DNS-resolvable hostname instead of a raw IP. Declare the network endpoint in SKILL.md. Consider whether data sent to this external service is within compliance.
Medium Priv Escalation
Undeclared Milvus database access
The skill connects to a Milvus vector database (rewrite_question.py:584-596) to fetch QA pairs. The connection supports user/password authentication. SKILL.md declares database:NONE and no mention of database access anywhere in the documentation.
rewrite_question.py:584 Declare database:READ access in SKILL.md if Milvus access is intentional. Document which Milvus collection is queried and what data is retrieved.
Medium RCE
Undeclared Python subprocess execution via Node.js wrapper
index.js uses child_process.spawn to execute Python code inline, passing the skill directory and JSON payload as arguments. This is shell/code execution that is not declared in SKILL.md (shell:NONE).
index.js:62 Document the shell:WRITE capability if subprocess execution is intentional, or refactor to use a different IPC mechanism.
Medium Doc Mismatch
Hidden SQL bypass via QA pair matching not documented
Path A (rewrite_question.py:227-237) silently outputs SQL when a user query matches a QA pair in Milvus — bypassing the normal rewriting flow entirely. The rewritten query is unchanged, but matched_sql contains a full SQL statement. This 'shortcut' behavior is not described in SKILL.md.
rewrite_question.py:227 Document the QA pair matching behavior in SKILL.md, including that SQL can be directly output.
Low Supply Chain
No dependency pinning — uses httpx, pymilvus, python-dotenv without versions
No requirements.txt, pyproject.toml, or package.json exists. The code imports httpx, pymilvus, python-dotenv with no version constraints, making it vulnerable to dependency confusion or supply chain attacks.
rewrite_question.py:1 Create a requirements.txt or pyproject.toml with pinned versions for all dependencies.
Declared capability vs actual capability
Filesystem Pass
Declared NONE
→ Inferred WRITE
index.js:61 — writes JSON output to file via Python subprocess Network Block
Declared NONE
→ Inferred WRITE
rewrite_question.py:472 — httpx.Client POST to http://47.77.199.56; SKILL.md:network:NONE Shell Block
Declared NONE
→ Inferred WRITE
index.js:62 — spawn(PYTHON_BIN, ['-c', script, skillDir]) Environment Pass
Declared NONE
→ Inferred READ
rewrite_question.py:556 — os.getenv for GEMINI_API_KEY, MILVUS_HOST, MILVUS_PASSWORD Skill Invoke Pass
Declared NONE
→ Inferred NONE
No cross-skill invocation found Clipboard Pass
Declared NONE
→ Inferred NONE
No clipboard access Browser Pass
Declared NONE
→ Inferred NONE
No browser access Database Block
Declared NONE
→ Inferred WRITE
rewrite_question.py:584-596 — PyMilvusClient query() reads from Milvus; supports user/password auth Suspicious artifacts and egress
High IP Address
47.77.199.56 rewrite_question.py:559
Medium External URL
http://47.77.199.56/api/v1beta rewrite_question.py:559
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| httpx | unpinned | import | No | No requirements.txt or pyproject.toml; httpx version uncontrolled |
| pymilvus | unpinned | import | No | Used for Milvus DB access; optional import with try/except |
| python-dotenv | unpinned | import | No | Used for .env loading; optional import with try/except |
| asyncio | built-in | stdlib | No | Standard library, no risk |
File composition
3 files · 943 lines
Python 1 files · 769 linesJavaScript 1 files · 128 linesMarkdown 1 files · 46 lines
Files of concern · 2
rewrite_question.py Network capability declared as NONE but actual traffic exists · Default JWT token embedded in source code · Hardcoded external IP address for all LLM communication · Undeclared Milvus database access · Hidden SQL bypass via QA pair matching not documented · No dependency pinning — uses httpx, pymilvus, python-dotenv without versions · 47.77.199.56 · http://47.77.199.56/api/v1beta
index.js Undeclared Python subprocess execution via Node.js wrapper
Other files · SKILL.md
Security positives
No base64-encoded payloads piped to shell
No direct credential exfiltration code (credentials sent to intended Gemini API endpoint, not third-party)
No reverse shell, C2, or ransomware patterns found
No cron/scheduled task or persistence mechanisms
No prompt injection instructions in comments
No ~/.ssh, ~/.aws, or .env file reading beyond standard dotenv loading