Back to skill

Security audit

Terminal

Security checks across malware telemetry and agentic risk

Overview

This is a powerful but clearly disclosed local terminal helper that runs shell commands and stores local command history.

Install only if you want an agent-assisted local terminal workflow. Treat commands from this skill like commands you type yourself: preview first, inspect exact commands before running them, use confirmation only when you understand the action, and use no-output storage for commands that may print secrets or private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
sys.exit(2)

    try:
        completed = subprocess.run(
            args.command,
            shell=True,
            cwd=args.cwd,
Confidence
98% confidence
Finding
completed = subprocess.run( args.command, shell=True, cwd=args.cwd, text=True, capture_output=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly advertises shell execution plus file read/write behavior, yet the manifest shown in SKILL.md does not declare any permissions. That creates a trust and policy gap: users or enforcement layers may treat the skill as lower risk than it really is, while the skill can still drive sensitive local actions such as reading files, modifying data, or executing commands.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description is broadly phrased to trigger on many generic user requests like debugging, automation, file inspection, and translating natural language into shell actions. Over-broad invocation increases the chance this high-risk shell skill is selected in situations where a narrower, safer skill should handle the request, exposing users to unnecessary command execution and file access risk.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill persists terminal history to disk automatically in a user home directory, but this file can contain sensitive commands, file paths, arguments, or other locally revealing data. Although the code applies restrictive file permissions after writing, there is no indication here of user disclosure, opt-in, or controls at the point of storage, which creates a privacy and data-retention risk rather than a direct code-execution issue.

Unvalidated Output Injection

High
Category
Output Handling
Content
sys.exit(2)

    try:
        completed = subprocess.run(
            args.command,
            shell=True,
            cwd=args.cwd,
Confidence
93% confidence
Finding
subprocess.run( args.command, shell=True, cwd=args.cwd, text=True, capture_output

Tool Parameter Abuse

High
Category
Tool Misuse
Content
sys.exit(2)

    try:
        completed = subprocess.run(
            args.command,
            shell=True,
            cwd=args.cwd,
Confidence
97% confidence
Finding
subprocess.run( args.command, shell=True

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.