Security audit

universal-autostart

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its autostart-service purpose, but it includes high-impact persistence behavior plus an unrelated publisher script that can upload local skill files using a hardcoded API key.

Install only after reviewing the JSON config and confirming every program path, argument, and working directory is trusted. Treat install/uninstall as persistent system changes, especially on Windows where the task can run as SYSTEM. Do not run publish_textonly.py; the publisher should remove it from the distributed skill and revoke the embedded API key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (19)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: capture_output=True) # 创建新任务 result = subprocess.run([ 'schtasks', '/create', '/tn', service_name, '/tr', f'"{sys.executable}" "{startup_script}"',
Confidence: 95% confidence
Finding: result = subprocess.run([ 'schtasks', '/create', '/tn', service_name, '/tr', f'"{sys.executable}" "{startup_script}"', '/sc', 'onstart', # 开机启动 '/rl', 'hig

subprocess module call

Medium

Category: Dangerous Code Execution
Content: f.write(plist_content) # 加载服务 result = subprocess.run(['launchctl', 'load', '-w', str(plist_path)], capture_output=True, text=True) if result.returncode == 0:
Confidence: 89% confidence
Finding: result = subprocess.run(['launchctl', 'load', '-w', str(plist_path)], capture_output=True, text=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: self.logger.info(f"启动命令：{' '.join(cmd)}") self.logger.info(f"工作目录：{working_dir}") self.process = subprocess.Popen( cmd, cwd=working_dir, stdout=subprocess.PIPE,
Confidence: 92% confidence
Finding: self.process = subprocess.Popen( cmd, cwd=working_dir, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, cre

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill advertises capabilities that can read/write files, invoke shell commands, and perform networking, but the metadata does not declare any permissions. This undermines user consent and review because a consumer may approve an apparently low-risk skill that can actually modify startup settings, create services, and access local data or network endpoints.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: If the skill truly contains packaging, outbound upload behavior, and a hardcoded API key unrelated to service management, that is a serious description-behavior mismatch. Hidden publishing or exfiltration functionality combined with embedded credentials suggests covert remote interaction beyond the stated purpose and creates risk of unauthorized data transfer and abuse of the embedded account.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This script packages local skill files and uploads them to an external SkillHub API, which is unrelated to the declared purpose of a local autostart service manager. In the context of an agent skill, undisclosed outbound publishing creates a data-exfiltration path and materially expands the trust boundary beyond local service management.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The module imports and uses a networking client to send packaged local content to a remote service even though the skill is described as managing Windows/macOS autostart services locally. That mismatch is dangerous because users and reviewers may authorize the skill for local persistence tasks without realizing it also performs outbound transmission.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill description presents autostart/service management, but this code also acts as a general launcher for arbitrary executables or scripts with automatic restart. That mismatch matters because it hides a broader capability set useful for persistence and repeated execution of unauthorized payloads.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The quickstart explicitly instructs users to run the installer with administrator privileges to create persistence, but it does not warn that this will modify system startup behavior and install a background service that survives reboots. In the context of an autostart/persistence skill, omitting safety warnings increases the risk that users grant elevated privileges to unreviewed configurations or binaries, enabling unintended or abusive persistence.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly instructs users to install persistent boot-time services with administrator privileges, but it does not clearly warn that this creates privileged persistence that survives reboots and can materially affect system integrity. In the context of an agent skill, normalizing admin-granted persistence without strong cautions increases the risk that users deploy long-lived background execution they do not fully understand or cannot easily audit.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The examples encourage unattended backup automation and silent/no-window background startup, but they omit warnings about unintended continuous execution, data access, or the consequences of running the wrong binary/script automatically. Because the skill is specifically about persistence, these examples can facilitate stealthy or unsafe deployment patterns if copied without review.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation tells users to install persistent services with administrator/root privileges but does not prominently warn that this will alter startup configuration and create background processes that survive reboots. That omission increases the chance that users enable persistence without understanding the security and recovery implications.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill encourages loading environment variables from .env files without warning that these files often contain secrets such as API tokens, passwords, and database credentials. Because the managed service is persistent and logs are supported, users may unintentionally expose sensitive values to the service process or downstream logging and child processes.

Missing User Warnings

High

Confidence: 99% confidence
Finding: A live API key is hardcoded directly in the source and then used for authenticated upload requests. Hardcoded secrets are high-risk because anyone with file access can reuse the credential to impersonate the publisher, upload or modify content, and potentially access associated account resources.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script transmits a locally packaged set of files to a remote endpoint without any explicit user-facing consent, review step, or summary of what will leave the machine. In a skill whose stated purpose is local autostart management, this hidden export behavior increases the risk of unintentional disclosure of proprietary or sensitive local content.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code creates and removes boot/login persistence mechanisms and writes startup scripts/plists with limited user-facing warning about the system changes being made. In a skill specifically designed for persistence, failing to make these effects explicit increases the chance of deceptive or accidental installation of long-lived background execution.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ) :: 安装服务 python "%~dp0universal_service.py" install "%CONFIG_FILE%" --no-check-admin if %errorLevel% equ 0 ( echo [OK] 安装完成！服务将在下次开机自动启动
Confidence: 95% confidence
Finding: --no-check

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ```bash # 安装自启动（不立即运行） python universal_service.py install [config.json] [--no-check-admin] # 卸载自启动 python universal_service.py uninstall [config.json] [--no-check-admin]
Confidence: 94% confidence
Finding: --no-check

Tool Parameter Abuse

High

Category: Tool Misuse
Content: python universal_service.py install [config.json] [--no-check-admin] # 卸载自启动 python universal_service.py uninstall [config.json] [--no-check-admin] # 手动启动服务 python universal_service.py start [config.json]
Confidence: 94% confidence
Finding: --no-check

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.