Security audit

AI守门人

Security checks across malware telemetry and agentic risk

Overview

This local LLM proxy mostly matches its purpose, but it can forcibly stop unrelated local services and its advertised streaming safety filter may not actually block risky streamed output.

Install only if you are comfortable running a local background proxy. Before starting or restarting it, confirm port 18888 is not used by another service, use scoped provider API keys with billing limits, do not rely on the streaming content filter as a complete safety control, and periodically review or delete the local logs when handling sensitive prompts or responses.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The stop path can terminate more than the intended proxy process. It first attempts `kill -9 -- -"$pid"`, which targets an entire process group, and then force-kills any process bound to the configured port, so a stale or incorrect PID/port value can kill unrelated local processes and cause denial of service.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The SSE filtering routine returns modified output and a blocked flag, but the caller never assigns the processed stream back to the response body and still sends the original upstream data. That means risky streaming content can bypass the proxy’s intended safety controls, creating a fail-open condition where operators believe content is filtered when it is not.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly documents request logging for proxy traffic but does not warn that logs may capture sensitive payloads such as user prompts, model inputs, API keys passed in headers, or provider responses. In a proxy skill, this omission is security-relevant because operators may enable or inspect logging without realizing they are creating a secondary store of secrets and sensitive content.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly documents a log directory and request/response logging behavior, but does not warn users that their proxy traffic may be persisted to disk. Because this proxy handles LLM prompts and outputs, logs may contain sensitive user data, secrets, or regulated content, creating privacy and data-retention risk if users are unaware.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: "timeout_seconds": 10 }, "whitelist": [ "rm\\s+-rf\\s+/tmp/", "rm\\s+-rf\\s+\\./node_modules", "example\\.com", "your[_-]?api[_-]?key",
Confidence: 87% confidence
Finding: rm\\s+-rf\\s+/tmp/"

Tool Parameter Abuse

High

Category: Tool Misuse
Content: }, "whitelist": [ "rm\\s+-rf\\s+/tmp/", "rm\\s+-rf\\s+\\./node_modules", "example\\.com", "your[_-]?api[_-]?key", "sk-xxx",
Confidence: 84% confidence
Finding: rm\\s+-rf\\s+\\./

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal