Back to skill

Security audit

Changelog Curator

Security checks across malware telemetry and agentic risk

Overview

This is mainly a local changelog drafting skill, with disclosed Python file input/output and no evidence of hidden networking, credential theft, destructive actions, or persistence.

Reasonable to install for drafting changelogs from release notes, commit summaries, or PR notes. Run the Python helper only on intended files, choose output paths deliberately, and review public release wording before publishing. Do not edit the bundled spec to enable audit modes unless you intentionally want broader local file inspection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises no explicit permissions, yet the content clearly enables local file access, shell execution via python3, and output file creation. This creates a transparency and governance gap: operators may invoke a skill believing it is low-privilege when it can actually read from and write to the filesystem and execute local code.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is narrowly framed as changelog curation, but the detected behavior indicates generalized scanning, auditing, CSV/TSV inspection, security pattern detection, and mode-dependent behavior driven by an external spec. That mismatch is dangerous because it can conceal broader data access and analysis capabilities than a user or platform reviewer would reasonably expect from a changelog skill.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation claims the skill is default read-only and auditable, but it explicitly instructs writing an output file through a local script. This inconsistency can mislead users and reviewers about side effects, increasing the risk of unauthorized file modification, accidental overwrite, or use of generated artifacts in downstream workflows without clear consent.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The dispatcher supports multiple generic audit modes such as directory, CSV, pattern, and skill auditing that materially exceed the declared purpose of changelog curation. In an agent setting, this broadens the skill from a narrowly scoped documentation helper into a general repository inspection tool, increasing the chance of unintended data access and misuse across unrelated files.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code implements pattern-based scanning for secrets, private URLs, and shell-danger indicators, which is a security auditing capability not justified by the advertised changelog-curator function. Even though it is read-only, it can expose sensitive snippets from arbitrary files and enable covert repository reconnaissance under the cover of a benign documentation skill.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill performs repository compliance and structure auditing, including checking for expected files and parsing SKILL.md frontmatter, which is unrelated to changelog generation. In context, this makes the skill capable of inspecting internal project layout and metadata beyond what users would reasonably expect, creating scope creep and information exposure risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.