Back to skill

Security audit

Classroom Lesson Pack

Security checks across malware telemetry and agentic risk

Overview

The skill’s normal behavior is a disclosed local lesson-plan generator, though its helper script contains inactive audit modes that users should not enable unless they intend local file inspection.

Reasonable to install for drafting lesson plans from chosen teaching materials. Run it only on specific lesson inputs, avoid sensitive student or private project files, and do not modify resources/spec.json to enable audit modes unless you intentionally want local file inspection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares itself as a lesson-plan generator, but it explicitly permits shell execution via `python3` and references local file inputs/outputs and resource files, indicating effective read/write and execution capability without corresponding declared permissions. This creates an integrity and review gap: operators may trust the skill as low-risk educational content while it can access local files and run code in the host environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a serious description-behavior mismatch. The skill is presented as an education workflow assistant, but the reported behavior includes directory scanning, content auditing, secret/high-risk pattern detection, CSV/TSV analysis, and mode-based behavior switching from `spec.json`—capabilities far outside normal lesson-plan generation and consistent with a general filesystem inspection tool. Such hidden scope expansion is dangerous because users may provide trust and data access appropriate for teaching content, while the skill can inspect unrelated files and generate security-style audit outputs.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script implements directory auditing, repository inspection, and code/pattern scanning capabilities that are unrelated to the declared educational lesson-pack purpose. This mismatch is dangerous because it expands the skill’s effective access and data-processing scope, enabling inspection of arbitrary local files and codebases under the guise of a classroom tool.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The built-in regex patterns search for secrets, private/admin URLs, and dangerous shell-command constructs across user-supplied files or directories. In a lesson-pack skill, this is unjustified sensitive-content discovery behavior and could expose confidential material from local projects if the skill is run on broad paths.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code can traverse arbitrary directories and perform package-structure audits, including validating skill layouts and sampling repository files. That behavior is inconsistent with the advertised teaching function and creates unnecessary access to unrelated local content, increasing privacy and trust-boundary risk.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The CLI presents itself as a generic local support script, while the implementation includes repository and pattern-audit behaviors not apparent from the manifested lesson-pack intent. Misleading interface text undermines informed consent and can cause users to run the tool on sensitive inputs without understanding its true behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.