Weekly Review Pilot

Security checks across malware telemetry and agentic risk

Overview

This skill is a local weekly-review drafting helper; its normal documented path reads user-selected notes and optionally writes a report, with no evidence of hidden network use, credential access, persistence, or destructive behavior.

Install this only if you want local weekly-review drafts from work notes. Treat those notes as sensitive, run the helper on the intended review file, choose the output path deliberately, and review the generated summary before sharing it. The package contains unused audit code, so avoid editing the bundled spec or repurposing it as a broad directory or secret scanner.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill advertises executable capabilities by instructing use of `python3` and references reading templates/specs and writing output files, yet it declares no explicit permissions. This creates a trust and policy gap: a host or reviewer may assume the skill is non-executing/read-only when it can in fact trigger local script execution and file access.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The skill claims to be '默认只读' and not to execute high-risk actions, but it explicitly authorizes shell/exec use to run a local Python script. That contradiction can mislead users and policy systems into granting more trust than warranted, while the invoked script may perform arbitrary local actions depending on its implementation and inputs.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The script dispatches to multiple generic audit modes such as directory, CSV, pattern, and skill audits, which materially exceed the stated weekly-review purpose. In an agent-skill context, this broadens the capability from summarization into arbitrary local inspection, increasing the chance of unintended data enumeration and misuse on unrelated files or repositories.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The built-in pattern scanner searches arbitrary files for secrets, private URLs, and risky shell constructs, which is unrelated to producing weekly summaries. Even though it only reports matches, this creates a sensitive-content discovery mechanism that can expose confidential snippets from local files when the skill is invoked on broad paths.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill can inspect arbitrary skill/package layouts and parse SKILL.md frontmatter, which is outside the described weekly-review workflow. In practice, this enables repository reconnaissance and metadata harvesting against unrelated projects, expanding access to local content beyond the minimum necessary function.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal