Release Note Localizer

Security checks across malware telemetry and agentic risk

Overview

This is a local release-note localization helper; the scanner flagged extra dormant audit code, but the packaged configuration keeps normal use scoped to user-provided input and optional output files.

Install only if you are comfortable running a local Python helper on release-note text you choose. Prefer dry-run/stdout or a deliberate output path, and avoid sensitive legal or confidential documents unless you have reviewed and sanitized the input.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises no declared permissions, yet its instructions explicitly allow use of python3 and imply reading local resources and writing output files. That mismatch weakens transparency and permission boundaries, making it easier for a seemingly low-risk localization skill to access or modify files or invoke shell-backed tooling without clear user awareness.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared purpose is release-note localization, but the detected behavior includes generic filesystem inspection, pattern scanning, CSV/TSV analysis, Markdown extraction, and configurable audit modes. This broad, off-purpose capability is dangerous because users may provide access believing the skill only translates content, while it can instead enumerate project files, inspect unrelated data, and surface sensitive material such as secrets or private URLs.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script’s primary behavior is a multi-mode auditing and scanning utility, not a release-note localization tool as advertised. This capability mismatch is dangerous because it enables broad inspection of arbitrary files and directories under the guise of a translation workflow, which can expose sensitive content and violate least-privilege expectations for users invoking the skill.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The embedded pattern scanner searches arbitrary content for secrets, shell abuse, and private URLs, which is unrelated to localization and materially increases data exposure risk. In this skill context, hidden scanning functionality is especially suspicious because it can collect or surface sensitive snippets from user-provided repositories or documents that were only expected to be translated.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code can recursively enumerate arbitrary directories and inspect file contents, including Markdown headings and file inventories, despite the skill being described as a release-note localization utility. This expands access far beyond the declared purpose and can unintentionally disclose repository structure or sensitive document content to outputs or logs.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The CLI description presents the script as a generic support script for the skill while the actual implementation includes unrelated scanning and audit features. Misleading interface text is security-relevant here because it prevents users from understanding the true scope of file inspection and may lead them to run the tool on sensitive paths without informed consent.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger examples are broad enough that ordinary editing requests such as translating release notes or rewriting tone could invoke the skill unintentionally. In an agent-routing context, this can cause misrouting, unnecessary processing of sensitive text, or application of the wrong workflow without clear user intent.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The README frames the skill around Chinese and English outputs without clearly stating whether other languages are unsupported or user-selectable. This can lead to incorrect assumptions by routing logic or users, causing the skill to process content in an unintended language mode and produce inaccurate or unsuitable output.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal