Local Rag Index Planner

Security checks across malware telemetry and agentic risk

Overview

This skill is a local planning helper that can read user-selected input and optionally write a report, with no evidence of network transfer, credential use, persistence, or destructive behavior.

Install only if you are comfortable with a local python3 helper. Run it on specific, reviewed files rather than broad private directories, use stdout or dry-run first when unsure, and remove sensitive content from inputs because generated reports may reflect what you provide.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares no explicit permissions, yet its instructions authorize reading local resources, writing output files, and invoking a shell command via python3. This mismatch can mislead users and any enforcement layer about the skill’s true capabilities, increasing the chance that filesystem access or command execution occurs without appropriate review or sandboxing.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: A planning-oriented skill that can also audit arbitrary directories, inspect file distributions, analyze CSV/TSV contents, scan for secrets or private URLs, and validate skill packages has materially broader behavior than its declared purpose. That kind of description-behavior gap is dangerous because it hides sensitive data discovery and generalized local inspection behind an innocuous RAG-planning label.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document claims the skill is effectively read-only and avoids high-risk execution, but it explicitly permits shell/exec use through a local python3 script. This contradiction undermines operator trust and can cause users to approve a skill expecting passive planning behavior when it can actually execute code and produce filesystem side effects.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The manifest presents the skill as a planner that should generate reviewable text, yet the work rules authorize active script execution. For a planning-only skill, adding an execution pathway unnecessarily expands the attack surface, enabling command execution and file processing in contexts where users may not expect any operational behavior.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The code implements a generic regex-based pattern scanner over arbitrary files and directories, including detection of secrets, private URLs, and dangerous shell patterns, which materially exceeds the stated purpose of planning local RAG indexing structure. This capability increases access to unrelated repository content and creates a scope-mismatch risk where users may unintentionally expose sensitive local data to a skill they would not have authorized for security scanning.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill contains a package-compliance audit routine that validates the presence and formatting of generic skill files like SKILL.md, README.md, and metadata JSON, which is unrelated to local knowledge-base indexing design. This hidden breadth makes the skill capable of auditing arbitrary skill packages and expands the data surface beyond what the description leads users to expect.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The repository scanning logic searches arbitrary files for secrets, internal URLs, and dangerous command snippets despite the skill being described as a local RAG index planner. In this context, the mismatch is more dangerous because users may supply broad local paths for planning purposes, unintentionally granting the tool visibility into highly sensitive repository material unrelated to indexing.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger examples are broad natural-language phrases that can plausibly appear in ordinary conversation, increasing the chance that the skill is invoked unintentionally. In an agent environment, accidental routing can cause the system to apply this skill in the wrong context, leading to misprocessing of user requests or bypass of more appropriate skills and safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal