Mm1 Simulation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to advertise queue simulation but also exposes a broad remote API proxy and persists API keys in a way users should review before installing.

Install only if you are comfortable with this skill sending inputs to an external API and storing an API key locally. Prefer a version that clearly documents the remote service, limits callable tools to queue-analysis functions, avoids plaintext credential persistence by default, and removes unrelated school-search or gaokao references.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The manifest presents a queue simulation service, but the body introduces an API-key-gated workflow and gaokao-related project references that are unrelated to the declared domain. Such cross-domain inconsistency is a strong sign of repurposed or misleading instructions, increasing the chance that users disclose secrets or permit operations they would not authorize if the true behavior were clear.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The workflow example instructs use of an unrelated `search_schools` function despite the advertised queue-analysis toolset. This inconsistency can redirect the agent into invoking unintended code paths or external services, undermining user expectations and making hidden functionality harder to detect during review.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The return-value section claims a generic API wrapper exposing `result["raw"]`, which conflicts with the earlier description of direct metric dictionaries from queue-analysis tools. This ambiguity is dangerous because it obscures whether raw remote API responses are being passed through, potentially exposing unexpected data fields or encouraging unsafe trust in opaque backend output.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The project structure describes configuration management, API calling, and local credential storage for an external service rather than a self-contained queue simulation server. In context, this deepens the deception risk by showing that the implementation is architected as a remote API client while the skill is marketed as a queue-analysis service.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This file implements a generic outbound tool invocation wrapper that can call any upstream function by arbitrary `tool_name` and `params`, rather than enforcing queue-simulation-only operations. In the context of a skill advertised as an M/M/1 and M/M/c queue simulator, this creates a capability mismatch that could let downstream users or prompts invoke unrelated remote actions through the skill as a proxy.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The code acts as a general remote tool proxy: it accepts arbitrary `tool_name`, `mcp_id`, and `params`, attaches credentials, and forwards them to an upstream API. Because the declared purpose is narrow queue simulation, this broad proxy behavior materially increases abuse potential, including unauthorized use of the configured API key to access unintended upstream capabilities.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The module for a queue simulation service includes unrelated API credential management, including reading, writing, and globally setting an external service key. That capability expands the trust boundary of the skill and creates a path for secret persistence and misuse that is not justified by the declared service purpose, making the mismatch itself a significant security concern.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code can modify and persist credentials into a local .env file, which gives the skill write access to secret-bearing configuration beyond a normal simulation workload. In the context of a queue simulator, this is unnecessary and dangerous because it can overwrite existing credentials, create hidden persistence, or plant secrets for later use by other processes.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The functions are presented as local validation, metric calculation, and simulation utilities, but they actually send all inputs to an external API via call_api. This creates a trust-boundary violation and hidden data flow: users or downstream code may believe processing is local while parameters and possibly derived results are handled by a remote service, with availability, privacy, and integrity implications.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The docstrings state that the code performs exact formulas and SimPy-based simulation locally, but the implementation only forwards arguments to call_api. This misleading interface can cause operators to make incorrect security and reliability assumptions, such as approving the skill for offline/local use or supplying sensitive inputs under the belief they are not leaving the environment.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Persisting an API key to .env without any user-facing warning, confirmation, or secure handling can cause accidental long-term storage of sensitive credentials. In multi-user or shared development environments, this increases the chance of credential leakage through source control, backups, or unintended file access.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to ask for a user API key and persist it via `set_api_key`, likely into a local `.env` file for future reuse. Persistent storage of user-provided credentials increases the risk of accidental disclosure, reuse outside the original session, compromise through filesystem access, and unclear consent around retention.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal