tetra-scar

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed local memory and safety-audit tool, but its CI action and broader repository-audit features deserve careful review before installation.

Install only if you want both the scar-memory behavior and the included code-audit tooling. Treat memory and training JSONL files as sensitive project data, avoid recording secrets, prefer local-only scans unless you trust the repo URL, and pin the GitHub Action to a reviewed tag or commit with fixed, trusted inputs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill advertises executable capabilities that imply file access, file modification, shell execution, and possible network use, but it declares no permissions at all. That mismatch weakens review and containment because an operator may approve or install the skill without understanding the actual access it needs, enabling over-privileged or unexpected behavior at runtime.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The documented purpose is a local memory/reflex mechanism, but the behavior reportedly extends to repository scanning, cloning remote GitHub repositories, CI build-failing logic, and separate audit/safety modules. This hidden expansion materially changes the trust boundary: a user expecting a local memory utility could instead grant a skill that performs broader code analysis, network retrieval, and enforcement actions, increasing the chance of unintended data access, supply-chain exposure, or disruptive automation.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file implements a repository auditing product that scans local paths and clones remote GitHub repositories, which materially exceeds the declared scar-memory and decision-trace purpose of the skill. This kind of capability mismatch is dangerous because users or orchestrators may grant the skill trust and permissions appropriate for memory management while it performs unrelated code acquisition and analysis operations.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The clone_repo function adds external network access and local repository materialization, which are outside the stated memory/reflex-trace functionality. In skill ecosystems, undeclared capabilities are risky because they expand data access and execution surface in ways operators may not expect or authorize.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Subprocess-based git cloning is an unjustified capability for a scar-memory skill and introduces extra attack surface through external process execution and network retrieval. Even without shell injection, spawning git can trigger protocol handling, fetch untrusted content, and create side effects inconsistent with the advertised role of the skill.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The module docstring explicitly markets a GitHub repository audit service as 'the product,' contradicting the manifest's description of a scar-memory system. Misrepresentation of purpose is security-relevant because it can bypass human review, confuse policy enforcement, and justify capabilities that should have required separate scrutiny.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: Cloning a repository is a network operation that transmits the target URL and initiates outbound communication without any explicit user-facing warning or confirmation in the code path. While low severity on its own, this matters more here because the skill is presented as memory tooling, so users may not expect network access or data retrieval behavior.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The export function serializes accumulated scars and decision traces to a JSONL file without consent prompts, redaction, classification, or access controls. In this skill's context, those records are likely to contain sensitive prompts, failure details, operational context, and decision rationales that could leak secrets or proprietary data if the filesystem is shared, synced, or later used for training.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal