Back to skill

Security audit

Ghostprint

Security checks across malware telemetry and agentic risk

Overview

Ghostprint is openly a synthetic LLM-traffic generator, but it needs Review because it automatically sends recurring, billable requests using existing provider credentials and is designed to mimic real human usage.

Install only if you deliberately want recurring synthetic LLM requests sent from your provider accounts. Expect possible API charges, provider logging, account-policy issues, and audit noise; configure explicit provider limits, consider separate low-budget keys, monitor usage, and know how to disable the plugin or remove any cron entry before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill can install itself into the user's crontab, creating persistence and recurring outbound network activity. In a plugin/agent context, scheduler modification is sensitive because it survives the current run and may be enabled without the user fully understanding the ongoing background behavior and API-key usage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This documentation explicitly recommends operational privacy-evasion tactics such as using separate API accounts, proxies/VPN/Tor, and suppressing local logs while generating synthetic traffic to third-party LLM providers. Even though this is only markdown, it normalizes and guides privacy-impacting network behavior without a prominent warning that the tool will send fabricated prompts and associated metadata to external services, which can create legal, policy, billing, and privacy risks for users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes a background scheduler that reuses existing provider API keys to send automated requests, but the surrounding install/usage text does not foreground that enabling the plugin causes recurring third-party network traffic and billable API consumption. In a privacy/security-oriented tool, this omission is risky because users may enable it inside a gateway expecting passive protection rather than active outbound traffic on their accounts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cron installation steps instruct users to schedule the standalone script without a conspicuous warning that this creates recurring automated outbound requests to configured providers. That can lead to unintended data transmission and surprise billing, especially because the feature is framed as a convenience step rather than a potentially persistent networked action.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description notes background scheduling and reused provider credentials, but it does not present a prominent warning that the skill will automatically generate and transmit network requests on a schedule using the user's existing API accounts. In this context, that omission is security-relevant because the plugin's core behavior is autonomous outbound activity that can affect privacy, billing, provider account posture, and audit trails without clear informed consent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code sends prompts and API credentials to configured third-party providers, but there is little user-facing disclosure at send time about what data leaves the system. In this skill's context, outbound traffic is the core function, yet the lack of prominent disclosure and consent still matters because it reuses existing provider keys and generates network activity on the user's behalf.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script modifies crontab state without a strong safety warning or confirmation flow, which is risky because it changes system behavior beyond the immediate execution. In this skill's context, that makes the plugin more dangerous: it is not just generating one-off noise, but establishing recurring automated activity using the user's environment and credentials.

Missing User Warnings

High
Confidence
97% confidence
Finding
The tool explicitly sends generated prompts to third-party LLM providers using the user's existing provider API keys, but the execution path contains no explicit consent, approval prompt, or clear disclosure at the point of transmission. In an agent/plugin environment, this creates covert external data generation and billing activity on the user's accounts, which is especially dangerous because it is framed as 'depersonalization' rather than a clearly opt-in networked action.

Missing User Warnings

High
Confidence
99% confidence
Finding
The background scheduler autonomously performs recurring external network activity, causing the plugin to contact outside providers without a user action at the time of execution. This is risky because it enables stealthy, ongoing outbound traffic and consumption of paid API resources, and the stated purpose is to generate deceptive human-like noise rather than serve a direct user-requested function.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The file header states that the plugin is 'designed to be statistically indistinguishable from real human usage,' which is an explicit deception objective rather than a neutral privacy feature. That context materially increases risk because the code is intended to conceal automation and distort provider-side behavioral signals, making the autonomous network activity more suspicious and less defensible as benign telemetry minimization.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The tool description says it sends 'persona-driven realistic-looking LLM sessions,' directly advertising automated impersonation of human usage. In context, this is not merely wording: the surrounding code implements personas, activity weighting, follow-ups, and staggered timing specifically to evade fingerprinting and make synthetic traffic resemble a real user, which increases both abuse potential and stealth.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description advertises scheduled randomized requests to multiple configured providers but does not state any trigger scope, user consent boundary, or activation constraint. In this context, that omission is security-relevant because the plugin is explicitly designed to generate autonomous outbound traffic using existing provider keys, which can create unbounded background actions, unexpected data egress, and billing risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The manifest description advertises scheduled, provider-wide randomized query injection but does not clearly state the activation boundaries, user initiation requirements, or safety constraints. In a plugin that can reuse existing provider keys and send network traffic automatically, broad wording materially increases the risk of background operation, unintended API use, and user misunderstanding about when the behavior occurs.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The description promotes automatic privacy-altering behavior ('depersonalize your usage profile') without clearly indicating explicit opt-in, informed consent, or the side effects of sending synthetic prompts to third-party providers. Given the skill's purpose and the note that it reuses existing provider keys, this context makes the issue more dangerous because it could generate undisclosed outbound traffic, costs, logging exposure, and policy/account risks under the user's identity.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The topic list is deliberately made of broad, everyday questions that closely resemble normal user activity, which aligns with the skill's stated purpose of generating realistic background traffic to obscure behavioral fingerprints. In context, this is not an accidental content choice: it is functionality designed to impersonate organic usage patterns across third-party AI providers, which can undermine provider monitoring, attribution, abuse detection, and policy enforcement.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.