Security audit

windows-healing-gateway

Security checks across malware telemetry and agentic risk

Overview

This Windows self-healing skill has a plausible purpose, but it installs persistent PowerShell automation with broad repair authority and too little scoping or disclosure.

Install only after reviewing the missing PowerShell scripts from the source repository and confirming exactly what they can stop, edit, disable, restart, and send externally. Use limited credentials, avoid sensitive systems first, restrict permissions on the environment file, and make sure you have a tested way to disable or remove the scheduled tasks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The task metadata describes a specific crash auto-repair function, but the actual action is a broadly capable hidden PowerShell launch at boot and registration using ExecutionPolicy Bypass against a user-writable script path. That mismatch reduces transparency and creates persistence for arbitrary script execution, making the task more dangerous if the referenced script is modified, replaced, or misleadingly presented as a benign monitor.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README advertises autonomous repair behavior that can alter system state, including fixing configuration issues and plugin problems, without clearly warning users that these actions may be destructive or require review. In the context of a Windows self-healing agent with persistent monitoring, undocumented automatic changes increase the risk of unintended service disruption, data loss, or unsafe remediation behavior.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The quick-start deployment instructions encourage running a PowerShell deployment script with ExecutionPolicy Bypass and mention Task Scheduler usage elsewhere, but do not clearly warn that installation creates persistent background monitoring and may require elevated privileges. This is dangerous because users may execute a privileged, persistence-establishing script without informed consent, increasing the risk of stealthy long-running behavior or misuse on sensitive Windows systems.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The repair capabilities explicitly include killing conflicting processes and disabling plugins, but the README provides no safety controls, scope limitations, or warning about possible disruption to unrelated applications or system functionality. In a self-healing gateway context, automatic termination or disabling actions can cause denial of service, loss of work, or broader instability if detection logic is wrong or manipulated.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill advertises continuous monitoring and automatic repair on a Windows host, but the description does not clearly warn that installing it will create persistent scheduled automation that can monitor processes and take remediation actions without per-action user approval. In a system-management skill, this omission matters because users may not realize the operational scope, persistence, and potential for unintended system changes until after deployment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation mentions Telegram alerts but does not disclose what data may be sent externally, such as logs, hostnames, error messages, or other diagnostic details. This creates a privacy and data-handling risk because operators may configure external notification channels without understanding that potentially sensitive system information could leave the machine or organization.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation instructs users to run a deployment script that likely creates scheduled tasks and modifies Windows system behavior, but it gives no warning about privilege requirements, persistence effects, or what changes will be made. In a security-sensitive context, undocumented system modification increases the chance that users execute powerful scripts blindly, which can mask harmful persistence or unsafe configuration changes.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manifest exposes system-altering tools like deployment and repair with vague descriptions that do not clearly limit when they should be invoked. In an agent setting, underspecified tool purposes increase the chance of unintended or over-broad execution, especially because the linked commands run PowerShell scripts and interact with Windows Task Scheduler.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest advertises deploy and repair actions that can change system state, but it provides no user-facing warning that these tools execute PowerShell with ExecutionPolicy Bypass and may create or modify scheduled tasks. This is dangerous in an agent workflow because users or higher-level orchestration may invoke these actions without understanding that they perform privileged persistence-like changes on Windows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal