Skill Pack Composer

Security checks across malware telemetry and agentic risk

Overview

This skill is a local, review-oriented skill bundle auditor that reads user-provided files or directories and writes optional reports, with no evidence of networking, credential use, persistence, publishing, or destructive behavior.

Install only if you need local Skill bundle review. Run it against the specific Skill or bundle directories you intend to audit, avoid broad home or project roots containing unrelated sensitive files, and review generated reports before sharing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises and documents executable capabilities (`python3` invocation) plus reads local resources and writes output files, but it declares no explicit permissions. This creates a transparency and policy-enforcement gap: users or orchestrators may treat it as low-risk packaging logic while it can access the filesystem and invoke a shell-executed process, increasing the chance of unintended file access or execution in broader contexts.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The documented purpose is a narrowly scoped skill-pack composer, but the observed behavior reportedly includes broad file scanning, report generation from arbitrary text, CSV/TSV inspection, regex-based secret/high-risk pattern scanning, and single-skill validation. This scope expansion is dangerous because it enables the skill to process and inspect data far beyond packaging, potentially exposing sensitive local content and bypassing user expectations or safety routing based on the benign description.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The dispatcher exposes multiple generic audit/reporting modes that go well beyond the declared purpose of a skill-pack composer. In an agent environment, this creates unintended capability expansion: a caller can use the skill to inspect arbitrary directories, files, and skill packages, which increases data exposure and makes the skill more useful for reconnaissance than for bundle composition.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The pattern scanning logic lets the skill inspect arbitrary files/directories for secrets, private URLs, and risky shell snippets despite that not being part of pack composition. Even though it only reports matches, this still enables sensitive-content discovery and lightweight secret reconnaissance across user-provided paths.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The directory, CSV, and generic skill-audit helpers allow broad inspection of arbitrary local content unrelated to composing skill packs. In context, that mismatch means the skill can be repurposed to enumerate files, summarize contents, and analyze structures outside its advertised scope, increasing the risk of unintended information disclosure.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger examples are broad natural-language phrases such as asking to combine skills or check packaging issues, which can plausibly appear in ordinary conversation and unintentionally invoke the skill. In an agent environment, overly generic routing phrases increase the chance of mis-selection, causing the agent to apply this packaging/audit skill in the wrong context and produce misleading or inappropriate actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal