Back to skill

Security audit

Asf V4

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it combines broad control-plane authority with several overstated or unenforced safety features users should review before installing.

Install only in a constrained environment and do not rely on its advertised sandbox, rollback, safety, or audit gates as real enforcement. Review or disable the CLI/deploy/load-skill commands, prefer local embeddings for private memory, and treat its logs as potentially containing sensitive prompts or task data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README labels the skill as 'Production Ready' while later phases explicitly show 'Security audit' as incomplete. This can mislead operators into trusting and deploying the skill without appropriate review, increasing the chance that unsafe functionality is enabled in a sensitive agent environment. In the context of an agent skill that exposes optimization, governance, and memory features, overstated readiness is more dangerous because users may grant it broad access based on that claim.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The function claims to validate brand compliance for a specific video, but it never analyzes the provided video and instead uses Math.random() to generate issues. This can cause consumers of the API to trust false compliance results, leading to policy bypass, incorrect approvals, or release of non-compliant branded content.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file defines sandbox and governance controls such as allowed/denied APIs, timeout, GPU isolation, minimum quality score, and maximum generation time, but these controls are not actually enforced during execution. This creates a false sense of security and can allow requests to run without the documented safety boundaries, leading to policy bypass, resource abuse, or unsafe downstream tool usage.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The cancellation path claims to stop running tasks, but executing tasks are never inserted into runningTasks, so active video-generation jobs cannot actually be cancelled. In an agent orchestration context, this can cause uncontrolled resource consumption, quota exhaustion, and inability to halt unsafe or unwanted work once started.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module presents `contentSafety` as a critical safety gate, but the implementation only checks whether generation failed or returned an error. This can allow unsafe or policy-violating content to be marked safe whenever generation succeeds, creating a misleading control that downstream systems may trust for automated acceptance or deployment.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The `audioQuality` check is documented as a quality gate but is coded as `hasAudio || true`, so it always passes. This creates a deceptive assurance signal in quality reports and can skew weighted scoring, letting low-quality outputs pass review or trigger incorrect downstream decisions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The `brandConsistency` check always returns success while being represented as a meaningful validation step. In a gate intended to protect automated content pipelines, this can hide policy or brand violations and inflate confidence in outputs that were never actually checked.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The validator presents itself as enforcing safety boundaries, but in practice only `block` boundaries deny execution. `warn` and `audit` findings still allow the operation, so risky actions can proceed despite policy text suggesting stronger safeguards. In a safety-control component, this policy/implementation mismatch can cause downstream systems or operators to assume an action was prevented when it was merely logged.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code comments and boundary response state that deleting production configuration requires dual approval, but the boundary is only typed as `audit`, so the validator still returns `allowed: true`. This creates a direct control gap for destructive production changes: an operation that policy says must be gated can proceed without any approval enforcement.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
`safeDeploy` is security-sensitive by name and comment, but it unconditionally returns `true` without validating the config, enforcing preconditions, or performing any deployment safety checks. In a governance/safety module, this can cause callers to treat unsafe or failed deployments as approved/successful, potentially bypassing higher-level protections and creating a fail-open security control.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module advertises secure isolation for code execution, filesystem access, and networking, but the implementation does not provide real sandboxing. This creates a dangerous security illusion: callers may trust it to contain untrusted code when no enforced isolation mechanism exists, leading to potential arbitrary code execution or policy bypass if integrated as a real sandbox.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The file for a requirement-refinement skill also contains rollback, deployment, and version-control orchestration logic. Mixing operational control capabilities into a content-processing skill violates separation of duties and expands the blast radius: if this skill is invoked, extended, or later wired to real Git/deployment backends, an attacker who can influence execution paths could trigger code rollback or redeployment actions unrelated to requirement parsing.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The regex `表单|form|提交|submit|输入` is overly broad for routing to the `stripe` design system because it matches extremely common words that appear in many unrelated user requests. In a skill that automatically maps requests to a design system, this can cause systematic misclassification and steer outputs toward an inappropriate design template, reducing reliability and making prompt-driven behavior easy to manipulate.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Using `水果` as an alias for `apple` creates a high-likelihood collision with ordinary language unrelated to the Apple design system. In a mapping-driven skill, an attacker or even normal user text mentioning fruit can unintentionally trigger the Apple theme, making the system easy to influence and causing incorrect behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The asf:cli command forwards user-controlled command, subcommand, and options into a dynamically imported CLI runner without visible validation, allowlisting, privilege restriction, or warning. In an agent skill context, this creates a dangerous execution bridge: an LLM or untrusted workflow input could trigger sensitive local operations, external side effects, or command-equivalent behavior through the underlying CLI implementation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
notifyAgents() logs the full AgentMessage object, including the task result payload, to console output. Because task results may contain user prompts, client identifiers, error details, or generated artifact metadata, this creates an information disclosure risk through logs, especially in shared runtime, centralized logging, or multi-tenant environments.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This code sends arbitrary text to a remote embedding provider, which can expose sensitive memory content, prompts, or user data to a third party if used on private inputs. In a memory module, that context makes the issue more serious because stored/retrieved text often contains high-value or personal information, and there is no visible consent gate, redaction, or policy enforcement here.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This class may send raw user memory and search queries to an external embedding provider when USE_LOCAL_EMBEDDER is false, with no indication in this file of consent, minimization, or disclosure controls. In a memory system, stored content can contain sensitive user data, so silent transmission to a third party creates a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The cache hit log includes a substring of the raw prompt, which can leak sensitive user input, secrets, personal data, or proprietary prompts into application logs. Logs are often broadly retained and accessible to operators or third-party logging systems, so even partial prompt disclosure can create a confidentiality risk.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The report command writes to a user-supplied path without validation or restriction, enabling arbitrary file overwrite within the permissions of the running process. In an agent/CLI skill context, this is more dangerous because another component or user may pass attacker-controlled arguments, allowing clobbering of configuration files, logs, or sensitive workspace files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/security-audit.sh:58