Prompt Leak Auditor

Security checks across malware telemetry and agentic risk

Overview

This is a local prompt and document leak-auditing skill whose file scanning and report writing are disclosed and aligned with its purpose.

Install/use this only on files or directories you intend to audit. Prefer a copied prompt, SKILL.md, README, or small repo subset rather than a whole home directory, and review the generated Markdown before sharing it because non-secret snippets such as internal URLs or command text may appear.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises no declared permissions, yet its instructions explicitly allow invoking `python3` over user-supplied input/output paths and reference local resources under `{baseDir}`. This creates a capability gap where operators may assume the skill is read-only audit logic, while it can actually read local files and write generated output, increasing the chance of unintended data access or filesystem side effects.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose is a prompt leak auditor, but the behavior described by analysis is broader: generic directory profiling, CSV/TSV summarization, skill integrity checks, and output of matched high-risk snippets. That mismatch is dangerous because users may provide sensitive repositories expecting narrowly scoped redaction-focused auditing, while the skill can process unrelated content and potentially echo portions of secrets or internal text back in reports.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The dispatcher exposes multiple generic analysis modes (directory, CSV, structured brief, and skill audit) that go beyond the declared purpose of prompt/secret leakage auditing. In a security-audit skill, this scope creep increases the chance of collecting and transforming unrelated repository content, which can expose filenames, headings, metadata, and snippets that users did not intend to process.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The CSV mode performs generic schema and value-distribution summarization of user-provided data, which is not necessary for prompt-leak auditing. If pointed at sensitive exports, it can disclose field names and data characteristics, expanding the skill into a general data-inspection tool with unnecessary exposure risk.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The directory reporting logic inventories files and extracts Markdown headings from repository content, which can reveal project structure and content-derived information unrelated to leak detection. In the context of a prompt-leak auditor, that broad enumeration makes accidental disclosure more likely, especially when scanning internal repos or sensitive working directories.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The structured brief mode is a generic content-reformatting function that can transform arbitrary input into polished output without being tied to leak auditing. That broadens the tool into a general-purpose text processor, increasing the risk that sensitive prompts, rules, or secrets are reformatted and redistributed rather than minimized.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger examples are broad, natural-language phrases such as checking prompts for leakage risk or scanning skill copy for sensitive content. Because they lack stronger routing boundaries, the skill may be invoked unintentionally during ordinary review conversations, causing incorrect tool selection, noisy audits, or unnecessary exposure of local content provided for scanning. In this security-audit context, accidental invocation is more concerning than in a generic utility skill because users may pass sensitive prompts or internal documents to the skill.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This mode reads repository files and emits filenames plus Markdown headings with no explicit warning that content-derived metadata may be exposed in output. Even without full file dumps, headings and paths often contain internal project names, incident details, URLs, or policy text that should not be broadly surfaced.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Pattern scan mode outputs matched snippets from file contents, and only partially masks one secret-like pattern. This can directly surface sensitive strings, internal URLs, commands, or policy fragments into console output or saved reports, which is especially dangerous for a skill explicitly focused on prompt and secret leakage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal