Inbox Action Board

Security checks across malware telemetry and agentic risk

Overview

This skill is a local inbox triage helper that reads user-provided content and produces a reviewable action board, with no evidence of network access, credential use, persistence, or external-system changes.

Reasonable to install for local inbox or message triage. Treat message contents as private data, review the generated board before acting on it, and run the Python helper only on intended input files with an output path you are comfortable creating or overwriting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill declares no permissions, yet its instructions explicitly allow use of python3 with input/output files and reference local resources, which implies shell execution plus file read/write capabilities. This creates a trust and review gap: operators may invoke a seemingly low-risk inbox-triage skill without realizing it can access local files and write outputs.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The dispatcher enables multiple generic audit modes that do not match the skill's declared inbox-triage purpose. In a skill ecosystem, this kind of capability drift is dangerous because it can be used to process arbitrary local files and directories under a misleading productivity label, expanding access and user trust beyond the stated intent.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code can recursively enumerate directories, read many local text/code files, and scan them for security-related patterns, which is unrelated to organizing inbox items. Even without code execution, this creates unjustified local file inspection capability that could expose sensitive content or enable covert reconnaissance if a user runs the skill on broad paths.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill audits package structure, parses SKILL.md frontmatter, and validates metadata, which is outside the stated inbox workflow. This broadens the tool into a local package inspection utility and increases the mismatch between claimed and actual behavior, making misuse and over-collection of local project data more likely.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The CLI presents itself as a generic local support script while exposing broad audit/report behavior unrelated to the manifest. Misleading interfaces matter in security reviews because they can cause operators to grant trust and supply filesystem paths under false assumptions about the script's limited purpose.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal