Back to skill

Security audit

Case Study Factory

Security checks across malware telemetry and agentic risk

Overview

This skill generates case-study drafts from user-supplied local material and does not show evidence of networking, credential access, persistence, destructive behavior, or hidden automatic execution.

Install only if you are comfortable with a local python3 helper from this publisher. Use explicit, approved input files, avoid raw confidential or personal data unless it is meant to be processed locally, and review any generated case-study draft before sharing or publishing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises no declared permissions, yet its instructions explicitly allow use of python3 and imply reading local resources and writing output files. This creates a capability/permission mismatch that can mislead policy enforcement, reviewers, or users about what the skill can access and modify, weakening trust and containment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is case-study generation, but the observed behavior includes broad local file and directory analysis, CSV auditing, pattern scanning, and skill auditing unrelated to narrative writing. That scope expansion is dangerous because it turns a content skill into a general local inspection tool, increasing the chance of unauthorized data discovery, secret exposure, or misuse under a misleading label.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill claims to be default read-only and safety-bounded, but also instructs generation of executable shell invocations and 'executable checklists.' Even if commands are not auto-run, presenting operational commands under a read-only framing can induce unsafe operator trust and facilitate unintended execution against local or external systems.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script implements broad repository inspection, file enumeration, content sampling, pattern scanning, and skill-package auditing capabilities that materially exceed the stated purpose of converting project materials into case-study articles. In a skill context, this creates an unjustified data-access surface that can expose unrelated local files, internal structure, headings, and potentially sensitive content during normal use.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The built-in regex engine scans files and directories for secrets, internal URLs, and risky command patterns, which is unrelated to a storytelling/case-study skill. Even though it only reports matches, this can surface sensitive tokens, internal endpoints, or command snippets from arbitrary local content and turns the skill into a lightweight reconnaissance tool.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill can audit another skill/package layout, inspect SKILL.md frontmatter, and report missing files and metadata validity, none of which is necessary for generating customer case studies. This increases capability beyond user expectation and may reveal repository structure, package internals, and metadata from local directories unrelated to the requested content task.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The CLI description presents the program as a generic local support script, but the actual implementation supports expansive audit and scanning modes. This mismatch can mislead operators into granting trust or access they would not have provided if the true behavior were clearly disclosed, increasing the chance of unintended local data exposure.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger examples use very broad natural-language phrases like '把这个项目写成案例文章' and '整理成可复用案例模板', which can overlap with ordinary user requests unrelated to this specific skill. In agent environments that auto-route by semantic matching, this can cause unintended invocation of the skill on arbitrary project materials, increasing the chance of processing sensitive content or bypassing more appropriate workflow-specific controls.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.