Li Base Scan

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real security scanner, but some modes under-disclose local whole-filesystem secret scanning and stealth scan behavior.

Install only in an isolated, low-privilege environment and scan only systems you are authorized to test. Avoid stealth mode, and avoid full/compliance modes unless you accept that the local agent filesystem may be scanned for vulnerabilities, misconfigurations, and secrets. Protect or delete saved reports/history, and use a verified package or pinned installer instead of the documented curl-to-shell command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (18)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and documents shell execution, filesystem reads/writes, network access, and logging/report persistence, but no explicit permissions are declared. That creates a trust and containment gap: users or orchestration layers may treat the skill as lower-risk than it actually is, while it can run scanners, write reports/history, and inspect local resources.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented behavior exceeds the stated purpose of a single-host scanner by including broad chat triggers, AI-analysis content generation, local host auditing via Lynis, and filesystem vulnerability scanning via Trivy. This mismatch can cause unintended local reconnaissance or data collection on the machine running the skill, even when the operator believes only a remote target is being assessed.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill is advertised as a single-host scanner, but in `run_scan` the Trivy step ignores the provided target and runs `run_trivy("/")`, causing a whole-filesystem scan of the local machine. This broadens scope from remote host assessment to local host inspection and may expose sensitive local files, secrets, packages, and configuration data far beyond what a user intended.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The Trivy configuration enables `secret` scanning on the local filesystem, which can discover credentials, keys, tokens, and other sensitive material unrelated to the advertised base scan purpose. In combination with scanning `/`, this materially increases privacy and data-exposure risk because the tool may collect and include secret-related findings from the executing host.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The interface presents itself as an interactive security scanner, but the main message-processing path only returns conversational text and does not invoke the supplied scan function when scan requests are made. This is dangerous because users may believe a security assessment was performed and rely on nonexistent results, creating a false sense of security and operational blind spots.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The export handler claims that it will generate a report file and even provides a downloadable path, but it never writes any file. In a security tool, this can mislead operators into believing evidence or reports were preserved when they were not, undermining auditability and incident response workflows.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The scan command handlers and help text state that scans will run, but the code only acknowledges intent and displays planned options without executing any scanning logic. This can cause users to trust absent scans and make security decisions based on assumptions rather than collected evidence.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README advertises LLM-based analysis and documents `LLM_API_KEY`/`LLM_API_URL`, but it does not clearly warn users that scan results, target details, or other sensitive assessment data may be sent to an external service. In a security scanning skill, this omission is material because users may reasonably assume findings remain local, leading to unintended disclosure of internal infrastructure or vulnerability data to third-party providers.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: Follow-up prompts like '发现什么漏洞？' and '给我修复建议' are so broad that an agent may treat ordinary conversation as authorization to continue scanning, analyze prior results, or trigger additional actions. In a security-scanning skill, overbroad natural-language triggers increase the risk of accidental scans, unintended scope expansion, or misuse through prompt ambiguity.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Examples such as '检查系统安全' and '基线扫描' omit a target and scope, which can cause the skill to default to scanning the local machine or infer scope from context. For a tool that also integrates Lynis and Trivy, this ambiguity is particularly risky because it may lead to unintended local auditing and sensitive data collection.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill stores scan history and exports reports, but the documentation does not warn that these artifacts may contain sensitive network topology, service banners, vulnerabilities, filesystem findings, or host configuration details at rest. This omission can lead operators to persist high-value security data without access controls, retention limits, or sanitization.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code performs a filesystem-wide local Trivy scan without an explicit user-facing warning that local files and secrets will be inspected. Even if the scan is technically authorized by the operator running the script, the lack of clear disclosure creates a significant consent and scope problem and can lead to unintended collection of sensitive local information.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: Exported reports persist target information, findings, and potentially sensitive scan details to disk under a fixed directory, but the user is not clearly informed up front about that persistence behavior. In a security-scanning context, saved reports may contain sensitive host, service, vulnerability, and secret-discovery metadata that increases exposure if the system is later accessed by another party.

Ssd 2

Medium

Confidence: 94% confidence
Finding: A documented 'stealth scan' mode explicitly aims to avoid IDS/IPS detection, which is dual-use behavior associated with evasion rather than routine defensive assessment. In an agent skill, packaging this as a normal feature lowers the barrier to misuse and increases the likelihood of unauthorized or harder-to-detect scanning.

External Script Fetching

Low

Category: Supply Chain
Content: apt-get install -y nmap lynis nikto sqlmap # trivy安装 curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh ``` ### 使用建议
Confidence: 97% confidence
Finding: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh

External Script Fetching

Low

Category: Supply Chain
Content: apt-get install -y nmap lynis nikto sqlmap # Install trivy curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh ``` ### Usage Recommendations
Confidence: 97% confidence
Finding: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh

Chaining Abuse

High

Category: Tool Misuse
Content: apt-get install -y nmap lynis nikto sqlmap # trivy安装 curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh ``` ### 使用建议
Confidence: 98% confidence
Finding: | sh

Chaining Abuse

High

Category: Tool Misuse
Content: apt-get install -y nmap lynis nikto sqlmap # Install trivy curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh ``` ### Usage Recommendations
Confidence: 98% confidence
Finding: | sh

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal