SkillGuard Hardened

Security checks across malware telemetry and agentic risk

Overview

This is a real security management skill, but it needs review because it can run arbitrary commands, move or delete skill directories, and send scanned skill content to a remote AI provider.

Install only if you want a high-privilege security management tool. Use a dedicated Zenmux key, review or disable remote AI auditing for private skills, prefer quarantine over delete, avoid bulk auto-delete, do not use the generic exec wrapper for unrelated commands, and verify remote Moltbook downloads before relying on them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The skill is described primarily as an auditing and recommendation tool, but the documented commands show materially stronger capabilities: deleting skill directories, auto-remediating in bulk, executing arbitrary external commands via a guarded wrapper, and downloading and installing content from remote domains. In a high-privilege security tool, this mismatch is dangerous because users or automation may grant trust appropriate for a scanner while unknowingly enabling a powerful installer/remediator with destructive and code-execution paths.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script includes a built-in remote fetch-and-install flow for Moltbook that goes beyond passive auditing and turns the guard into a software installer. That creates a supply-chain attack surface: if the remote content or destination trust is compromised, the guard can stage and install attacker-controlled skill files into the user's skill directory after only whatever checks ensure_safe performs.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The _download function's trust model is inconsistent with its documentation: it claims a strict trusted-domain whitelist, but the allowlist also includes an unrelated domain, fluxapay.xyz. In security-sensitive download code, undocumented exceptions are dangerous because they expand the trusted boundary and can conceal an unintended or unauthorized remote source for content that is later installed locally.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script is presented as a security scanner/auditor, but it also performs state-changing remediation actions against skill directories. Mixing audit and enforcement/destructive behavior increases the blast radius of a misclassification, policy error, or AI/static-analysis false positive, allowing legitimate skills to be quarantined or removed during a scan workflow.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Supporting automatic deletion of skill directories is a destructive capability that exceeds the stated role of an auditor/recommender. Even though the code requires both --force and --yes, it can still permanently delete content based on scanner output, so a false positive, malicious policy change, or unsafe automation around this CLI could cause irreversible loss of legitimate skills.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This code transmits the skill package content to a third-party AI service for analysis, which can expose proprietary code, embedded secrets, or sensitive metadata outside the local environment. Even if intended, the absence of explicit user-facing disclosure or consent creates a real data-handling and privacy risk, especially when auditing untrusted packages that may contain confidential material.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal