Faq Distiller

Security checks across malware telemetry and agentic risk

Overview

This skill is a locally scoped FAQ-drafting helper; it has some unused audit code beyond the stated purpose, but the shipped configuration does not invoke it automatically.

Install only if you are comfortable with a local python3 helper reading the input path you provide and optionally writing a report. Redact customer names, contact details, account identifiers, tokens, and ticket IDs before use, and review the generated FAQ before sharing or publishing it. Avoid modifying the bundled spec to enable audit modes unless you intentionally want local file inspection.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares no permissions, yet its instructions explicitly allow running `python3` and reading local resource files, which implies shell execution plus file read/write capability. This mismatch is dangerous because callers, reviewers, or policy systems may treat the skill as lower risk than it really is, enabling unintended local file access or command execution in environments that honor the instructions.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The implemented functionality materially diverges from the declared skill purpose. Instead of distilling FAQs from support content, the script performs directory inspection, pattern scanning, and skill-package auditing, which expands access to local files and enables analysis of unrelated repository content; in a skill context, that is a capability mismatch that can expose sensitive data or be used for unauthorized reconnaissance.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The pattern-audit mode scans arbitrary files for secrets, dangerous shell snippets, and private URLs, which is unrelated to FAQ generation and increases the skill's ability to inspect sensitive local content. Even though it only reports matches, this still constitutes data discovery/exfiltration risk because identified secrets and internal endpoints can be surfaced in output.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill_audit path inspects package structure and parses SKILL.md metadata, which is outside the promised support/FAQ workflow. This broadens the tool into a repository auditing utility and creates unnecessary visibility into local project contents, increasing the chance of collecting or disclosing unrelated internal information.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The CLI presents itself as a generic local support script while actually supporting multiple audit/reporting behaviors unrelated to the manifest. Misleading interface descriptions make operator misuse more likely and can conceal broader local-file analysis capabilities, which is risky in agent environments where tool descriptions influence trust and invocation decisions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal