Back to skill

Security audit

Gdpr Security Auditor

Security checks across malware telemetry and agentic risk

Overview

This GDPR audit skill is mostly purpose-aligned, but it asks an agent to perform broad sensitive system scans and privileged checks without tight scope or output protections.

Install or run this only on systems you are authorized to audit. Limit scans to approved directories and accounts, run privileged checks only when needed, and protect the generated report directory with restrictive permissions because it may contain PII locations, credential file paths, access-control details, and security weaknesses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (14)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill explicitly claims the audit is "read-only," but the documented workflows create directories and write multiple audit artifacts and templates to disk via mkdir, tee redirections, and here-doc output. This mismatch is dangerous because operators may grant access or run the skill under a false assumption about side effects, which can affect integrity, storage handling, and retention of sensitive audit data.

External Transmission

Medium
Category
Data Exfiltration
Content
echo "--- TLS Verification ---"
for port in 443 8443 9443; do
  echo "Port $port:"
  result=$(curl -s -X POST "http://localhost:8765/aynops/ssl" \
    -H "Content-Type: application/json" \
    -d "{\"host\": \"$TARGET\", \"port\": $port}" 2>/dev/null)
Confidence
86% confidence
Finding
curl -s -X POST "http://localhost:8765/aynops/ssl" \ -H "Content-Type: application/json" \ -d

File System Enumeration

Medium
Category
Data Exfiltration
Content
# World-readable sensitive files
echo ""
echo "--- World-Readable Sensitive Files ---"
find /home -type f \( -name "*.env" -o -name "*.pem" -o -name "id_*" -o -name "*.key" \) -perm /o+r 2>/dev/null | \
  while IFS= read -r file; do
    echo "  ❌ WORLD-READABLE: $file"
  done | tee "$AUDIT_DIR/world-readable-sensitive.txt"
Confidence
91% confidence
Finding
find /home -type f \( -name "*.env

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# PostgreSQL
if systemctl is-active --quiet postgresql 2>/dev/null; then
  echo "PostgreSQL: RUNNING" | tee -a "$AUDIT_DIR/databases.txt"
  sudo -u postgres psql -c "\l" 2>/dev/null >> "$AUDIT_DIR/postgres-databases.txt"
else
  echo "PostgreSQL: not running" | tee -a "$AUDIT_DIR/databases.txt"
fi
Confidence
90% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Firewall rules
echo ""
echo "--- Firewall Rules ---"
sudo iptables -L -n -v 2>/dev/null | head -40 | tee "$AUDIT_DIR/firewall-rules.txt"

# Open ports
echo ""
Confidence
93% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# PostgreSQL table sizes and ages
if systemctl is-active --quiet postgresql 2>/dev/null; then
  sudo -u postgres psql -c "
    SELECT 
      schemaname || '.' || relname AS table_name,
      n_live_tup AS estimated_rows,
Confidence
90% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
| Symptom | Likely Cause | Fix |
|---------|-------------|-----|
| Disk encryption not detected | Not using LUKS | Check with `sudo dmsetup ls` |
| TLS check fails | Certificate expired | Renew via certbot or CA |
| Firewall rules empty | iptables not configured | `sudo iptables -L -n` |
| PostgreSQL access denied | No sudo/peer auth | Configure `~/.pgpass` or peer auth |
Confidence
78% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
|---------|-------------|-----|
| Disk encryption not detected | Not using LUKS | Check with `sudo dmsetup ls` |
| TLS check fails | Certificate expired | Renew via certbot or CA |
| Firewall rules empty | iptables not configured | `sudo iptables -L -n` |
| PostgreSQL access denied | No sudo/peer auth | Configure `~/.pgpass` or peer auth |
| PII scan too slow on large filesystems | Recursive find on /home | Limit with `-maxdepth 3` |
| DPIA template questions unclear | Template designed for general case | Customize per processing activity |
Confidence
78% confidence
Finding
sudo

Credential Access

High
Category
Privilege Escalation
Content
echo "--- SSH Keys ---"
for user_home in /home/*; do
  user=$(basename "$user_home")
  if [ -f "$user_home/.ssh/authorized_keys" ]; then
    key_count=$(wc -l < "$user_home/.ssh/authorized_keys")
    echo "  User $user: $key_count authorized keys"
Confidence
94% confidence
Finding
/.ssh/authorized_keys

Credential Access

High
Category
Privilege Escalation
Content
for user_home in /home/*; do
  user=$(basename "$user_home")
  if [ -f "$user_home/.ssh/authorized_keys" ]; then
    key_count=$(wc -l < "$user_home/.ssh/authorized_keys")
    echo "  User $user: $key_count authorized keys"
    
    # Check key types (ed25519 > rsa)
Confidence
94% confidence
Finding
/.ssh/authorized_keys

Credential Access

High
Category
Privilege Escalation
Content
echo "  User $user: $key_count authorized keys"
    
    # Check key types (ed25519 > rsa)
    rsa_keys=$(grep -c "ssh-rsa" "$user_home/.ssh/authorized_keys" 2>/dev/null || echo 0)
    ed25519_keys=$(grep -c "ssh-ed25519" "$user_home/.ssh/authorized_keys" 2>/dev/null || echo 0)
    if [ "$rsa_keys" -gt 0 ]; then
      echo "    ⚠️  $rsa_keys RSA keys (deprecated — migrate to ed25519)"
Confidence
95% confidence
Finding
/.ssh/authorized_keys

Credential Access

High
Category
Privilege Escalation
Content
# Check key types (ed25519 > rsa)
    rsa_keys=$(grep -c "ssh-rsa" "$user_home/.ssh/authorized_keys" 2>/dev/null || echo 0)
    ed25519_keys=$(grep -c "ssh-ed25519" "$user_home/.ssh/authorized_keys" 2>/dev/null || echo 0)
    if [ "$rsa_keys" -gt 0 ]; then
      echo "    ⚠️  $rsa_keys RSA keys (deprecated — migrate to ed25519)"
    fi
Confidence
95% confidence
Finding
/.ssh/authorized_keys

Credential Access

High
Category
Privilege Escalation
Content
if grep -qiE "secret|password|token|key|credential" "$file" 2>/dev/null; then
      echo "  SENSITIVE: $file (contains credential patterns)"
    fi
  done | tee "$AUDIT_DIR/plaintext-secrets.txt"

# Check log files for PII leakage
echo ""
Confidence
92% confidence
Finding
secrets.txt

Credential Access

High
Category
Privilege Escalation
Content
# World-readable sensitive files
echo ""
echo "--- World-Readable Sensitive Files ---"
find /home -type f \( -name "*.env" -o -name "*.pem" -o -name "id_*" -o -name "*.key" \) -perm /o+r 2>/dev/null | \
  while IFS= read -r file; do
    echo "  ❌ WORLD-READABLE: $file"
  done | tee "$AUDIT_DIR/world-readable-sensitive.txt"
Confidence
93% confidence
Finding
.env"

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.