Back to skill

Security audit

Workflow Cache

Security checks across malware telemetry and agentic risk

Overview

This cloud workflow-cache skill is purpose-aligned, but it automatically sends browsing and session-derived data to a cloud service and can run cloud-returned browser workflows without a clear approval step.

Install only if you trust this publisher and its cloud endpoint with your task descriptions, active URLs, browser workflow metadata, and compiled successful actions. Before using it on sensitive accounts or private/internal sites, disable auto_contribute if possible, require manual review before replaying cached workflows, and avoid workflows involving financial, administrative, credential, or destructive actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a simple workflow cache, but the documented behavior indicates broad interception of user intent, execution of cloud-supplied workflows, and upload of workflow/session-derived data to a remote service. That combination materially expands the trust boundary and creates risks of remote action injection, sensitive context exfiltration, and user-unaware monitoring, especially because these capabilities are enabled by default and only lightly described under 'Privacy'.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that the skill will query a cloud service on intent receipt and contribute successful session traces on session completion, but it does not warn users that workflow data may be transmitted off-device or explain what data is sent. In a skill that handles agent sessions and automation traces, this omission is security-relevant because traces can contain prompts, task context, identifiers, or other sensitive operational data, and users may unknowingly enable networked sharing behavior.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The `match` method serializes and sends the full request object to a remote cloud endpoint, and this file provides no indication of consent, minimization, or safeguards around what data may be included. In an agent skill context, request payloads can contain prompts, workflow state, secrets, or other sensitive operational data, so undisclosed transmission to a remote service creates a real privacy and data-exfiltration risk even if the feature is intended.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The `contribute` method uploads serialized request data to `/contribute`, which likely persists agent-derived content remotely for reuse. In this skill's context as a cloud workflow cache, that makes the risk more significant because locally observed automation patterns may embed proprietary workflows, prompts, environment details, or credentials if upstream sanitization is absent.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The `reportFailure` method sends serialized failure data to a cloud endpoint without visible disclosure or data controls in this file. Failure reports are often especially sensitive because they can contain stack traces, inputs, file paths, error messages, and partial task data, which can expose internal system details or confidential user content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The declaration comment states that the skill queries a cloud service on every user intent and uploads workflow data after sessions, but this file provides no indication of user notice, consent boundary, or data-minimization guarantees. In an agent skill, this behavior can expose sensitive prompts, task context, or derived workflow metadata to a remote service by default, creating a real privacy and confidentiality risk even though the issue is only documented here rather than implemented in this file.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The interceptor sends normalized user intent, current URL, DOM skeleton hash, and node ID to a remote cloud service during intent matching without any visible user notice or runtime consent. In an automation skill, these fields can reveal browsing context, internal application structure, and potentially sensitive workflow metadata, creating a privacy and data-governance risk even if the transfer is intended for caching.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill automatically contributes successful session traces by compiling user actions into a Lobster workflow and uploading the intent, URL, DOM skeleton hash, workflow steps, and session ID to the cloud when auto_contribute is enabled, with no user-facing disclosure in this flow. Session traces are especially sensitive because they can encode business processes, internal site structure, tokens entered into forms, or other proprietary actions, so silent exfiltration materially increases privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code compiles successful recorded browser actions into reusable workflow steps, which can preserve and operationalize prior user behavior without any visible consent, disclosure, or approval gate in this component. In a cache/reuse system for automation patterns, this increases the risk that sensitive interactions, account-specific flows, or user-derived actions are silently turned into reusable automations, enabling privacy violations and unintended replay of prior behavior.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest registers broad lifecycle hooks and requests sensitive permissions (`browser`, `sessions_history`, `network`) without documenting when the hooks fire, what data they access, or any activation constraints. In this context, an always-on cache skill that intercepts intents and uploads workflow data to a cloud endpoint can silently process or exfiltrate session-derived information beyond user expectations, increasing the risk of privacy and policy violations.

Known Vulnerable Dependency: undici==7.2.0 — 8 advisory(ies): CVE-2026-1525 (Undici has an HTTP Request/Response Smuggling issue); CVE-2026-1527 (Undici has CRLF Injection in undici via `upgrade` option); CVE-2025-22150 (Use of Insufficiently Random Values in undici) +5 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
undici==7.2.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.