Back to skill

Security audit

Integration Testing

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate integration-testing skill, but some helper scripts make persistent host changes and install or execute external software without clear opt-in.

Install only if you are comfortable reviewing and controlling the helper scripts. Run it in an isolated development environment, avoid letting the scripts modify ~/.bashrc, keep AWS and Testcontainers variables scoped to a project or one terminal session, remove TESTCONTAINERS_RYUK_DISABLED unless you intentionally want containers to persist, and verify downloaded or installed dependencies before executing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"📥 Downloading WireMock {wiremock_version}...")
    try:
        subprocess.run(
            ['curl', '-L', '-o', wiremock_jar, wiremock_url],
            check=True
        )
Confidence
89% confidence
Finding
subprocess.run( ['curl', '-L', '-o', wiremock_jar, wiremock_url], check=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Start WireMock
    try:
        process = subprocess.Popen(
            ['java', '-jar', jar_path, '--port', str(port)],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE
Confidence
92% confidence
Finding
process = subprocess.Popen( ['java', '-jar', jar_path, '--port', str(port)], stdout=subprocess.PIPE, stderr=subprocess.PIPE )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for package in packages:
        try:
            subprocess.run(
                [sys.executable, '-m', 'pip', 'install', package],
                check=True
            )
Confidence
86% confidence
Finding
subprocess.run( [sys.executable, '-m', 'pip', 'install', package], check=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Install LocalStack
    print("📥 Installing LocalStack...")
    try:
        subprocess.run(
            ['pip', 'install', 'localstack'],
            check=True
        )
Confidence
91% confidence
Finding
subprocess.run( ['pip', 'install', 'localstack'], check=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill includes examples and referenced helper scripts that imply network access, file operations, and likely shell/container orchestration, but it does not declare any permissions. This creates a transparency and policy-enforcement gap: an agent or reviewer may underestimate what the skill can do, increasing the chance of unintended filesystem changes, container launches, or outbound connections during use.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The security notes state that all services run locally in isolated environments, but the SFTP example uses a hostname and performs a real network connection via SSH/SFTP. That mismatch can mislead users into believing the skill is fully local-only, when it may reach external systems, potentially exposing credentials, test data, or causing unintended interaction with non-test infrastructure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Appending exports to `~/.bashrc` makes persistent changes to the user's shell environment beyond the immediate setup task. This is dangerous because it silently alters future sessions and can affect unrelated workflows, especially with `TESTCONTAINERS_RYUK_DISABLED=true`, which may leave containers/resources running and reduce cleanup safeguards long-term.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The script sets `TESTCONTAINERS_RYUK_DISABLED=true` and comments that containers will not be cleaned up after tests, effectively disabling an important cleanup/safety mechanism for future sessions once persisted. Even if the comment is imprecise, the resulting configuration can leave orphaned containers and resources behind, increasing exposure and operational risk on the host.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This setup script performs package installation via pip, which exceeds a narrow 'start LocalStack' role and can execute unreviewed third-party installation logic. In a developer tooling context this is especially relevant because users may run the script with broad local permissions and assume it only starts test infrastructure.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script appends AWS-related environment variables to `~/.bashrc`, creating persistent changes outside the immediate test session. This can unintentionally affect future shells and tools, potentially redirecting AWS operations or leaving misleading credentials/endpoints in the user's environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Silently appending commands to `~/.bashrc` without user approval is an unsafe setup pattern because it creates persistent side effects outside the project boundary. In a developer skill, this is more concerning because users may run the script expecting temporary test setup, not permanent shell mutation that changes future behavior.

Missing User Warnings

Low
Confidence
88% confidence
Finding
Installing packages via pip without a clear upfront warning or confirmation is a genuine safety issue because it changes the environment and pulls code from package repositories automatically. In this integration-testing skill the action is related to the purpose, so the context makes it somewhat less suspicious, but it is still risky from a user-consent and supply-chain standpoint.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script writes directly to `~/.bashrc` without an explicit warning, confirmation, or review of the content being appended. Silent persistence is dangerous in developer environments because it can unexpectedly alter command behavior and survive long after the LocalStack test session ends.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code sets Paramiko to AutoAddPolicy, which disables proper SSH host key verification and blindly trusts whatever server responds. That permits man-in-the-middle interception in test networks and can normalize an unsafe pattern that developers may later copy into non-test code.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.