Back to skill

Security audit

Black Fortress

Security checks across malware telemetry and agentic risk

Overview

This is a defensive local sandboxing skill, but it overstates important protections and asks users to trust high-impact Docker/root workflows that are not fully implemented or scoped.

Review before installing. Use only on a disposable or tightly controlled host, do not treat an approval result as a complete security guarantee, avoid Firecracker/root mode unless you independently verify that it actually runs the target workload, back up Docker configuration before following the credential-helper fix, and do not preserve artifacts unless you secure and delete the archive yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (16)

Tainted flow: 'cmd' from os.environ.get (line 69, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
start_time = time.time()
        try:
            result = subprocess.run(
                cmd, capture_output=True,
                text=True, timeout=timeout, env=SANDBOX_ENV
            )
Confidence
80% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=timeout, env=SANDBOX_ENV )

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation claims rdtsc/rdtscp are blocked, but the provided seccomp profile only denies network syscalls. This can cause operators to rely on side-channel protections that are not actually present, weakening the threat model and allowing timing/evasion techniques that the protocol says it prevents.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The module advertises that JSON output is protected by an entropy gate and schema validation, but the implementation simply copies non-raster allowed files through unchanged. In a security boundary component, this mismatch is dangerous because downstream systems or operators may trust JSON artifacts as sanitized when they are not, enabling malicious content or oversized/weaponized data to pass the filter.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The documentation claims all files have metadata stripped, but pass-through files are copied with shutil.copy2, which preserves file metadata such as timestamps and may preserve attributes contrary to the stated security model. This creates a false sense of sanitization and can allow hidden or identifying metadata to survive the 'trusted output rendering' stage.

Intent-Code Divergence

Low
Confidence
96% confidence
Finding
Allowing SVG to pass through as 'safe' is dangerous because SVG is active markup, not inert image data; it can contain scripts, external references, embedded foreign content, and renderer-specific behaviors. In a component specifically intended to prevent steganography and output-based manipulation, treating SVG as harmless materially weakens the boundary.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code claims to be 'fail-closed' but, when the trace file is missing or empty, it continues with an empty trace and still performs the audit. This creates a fail-open condition where behavioral verification is silently degraded, allowing actions to be evaluated without the kernel-ground-truth the tool advertises as a core defense layer.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The comments assert that host secrets are stripped, but the implementation forwards host-derived variables including HOME, PATH, TMPDIR, and locale settings into subprocesses. In a sandboxing/orchestration context, overstating isolation is dangerous because helper scripts or tools may use HOME-based config files, credentials, sockets, or other host context, undermining the intended trust boundary.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script is described as a pre-installation sandboxing/neutralization layer that 'kills all linguistic injection surfaces,' but in reality it only removes docstrings/selected calls, renames identifiers, and truncates strings longer than 50 characters. In this security-sensitive skill context, that mismatch is dangerous because downstream components may trust the output as sanitized while shorter malicious prompts, harmful literals, and non-string instruction channels remain intact.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The documentation promises TTL-based auto-deletion, but archive creation only embeds an expiration timestamp in metadata and relies on a separate cleanup path to delete expired files. This creates a retention-control gap where sensitive forensic artifacts may persist indefinitely if cleanup is not scheduled, violating user expectations and potentially policy or compliance requirements.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation promises TTL-based auto-deletion, but archive creation only embeds an expiration timestamp in metadata and relies on a separate cleanup path to delete expired files. This creates a retention-control gap where sensitive forensic artifacts may persist indefinitely if cleanup is not scheduled, violating user expectations and potentially policy or compliance requirements.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The Firecracker path claims to execute the provided feature in a micro-VM, but the source_dir is never mounted, copied, or invoked inside the guest. This creates a dangerous false sense of security: users may trust the 'firecracker' or 'differential' modes as sandbox validation when the target code was never actually run in that environment.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comments and verdict imply behavior/output comparison for evasion detection, but the code compares only status and exit code. In a security tool, this mismatch can let evasive samples produce materially different output while still being marked as passing, undermining trust in the detection result.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The seccomp profile uses SCMP_ACT_ALLOW as the default, meaning nearly all syscalls remain permitted except a short list of networking operations. For a skill advertised as providing 'hard quarantine' and multi-layer sandboxing, this leaves broad attack surface for filesystem access, process creation, privilege-related operations, namespace manipulation, and other kernel interactions that can undermine containment.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The profile materially contradicts the stated security posture: 'hard quarantine' and 'kernel ground-truth' imply strong kernel-enforced confinement, but the implementation only denies a subset of socket-related syscalls. This mismatch is dangerous because operators may rely on claimed isolation guarantees that are not actually enforced, enabling malicious or compromised code to perform harmful local actions despite appearing sandboxed.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The skill’s triggering/use scope is broad and lacks explicit invocation constraints, exclusions, or safe-operating boundaries. For a tool that can build Docker images, run containers, process untrusted code, and optionally use privileged VM paths, vague scope increases the chance of accidental use on sensitive sources, production hosts, or unsuitable environments.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The protocol describes killing sandboxes, deleting filesystem artifacts, and preserving only sanitized outputs, but it does not prominently warn users about data-loss risk. In a skill that operates on directories and sandbox artifacts, fail-closed cleanup without clear warning can destroy evidence, intermediate results, or mistakenly mounted host data if paths are misconfigured.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.