Security audit

Sol Weekend Deep Dive

Security checks across malware telemetry and agentic risk

Overview

The skill is for automated blog writing, but it also schedules unattended publishing and pushes changes to GitHub without clear review controls.

Install only if you own the target Jekyll site and intentionally want unattended public publishing. Before enabling launchd or any push step, review the external script, use a dedicated branch or PR workflow, restrict GitHub credentials to the intended repository, and keep the MiniMax key in a protected secret file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The manifest and description present the skill as a research-and-write tool, but the documented behavior includes auto-committing and pushing to GitHub, which is a materially more sensitive action. This creates a scope/expectation mismatch that can lead users to authorize or schedule the skill without realizing it will perform remote repository modifications.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: Automatically committing and pushing generated content is not necessary for the core task of drafting a weekend article and increases risk by publishing unreviewed, externally sourced, or model-generated content. If abused or if generation fails safely, it could overwrite site state or publish inaccurate or unwanted material directly to production content.

Scope Creep

High

Confidence: 94% confidence
Finding: The skill documents behavior that exceeds its declared permissions: pushing to GitHub is a networked state-changing action not transparently covered by a simple research/file-write description. This kind of permission/behavior mismatch undermines trust boundaries and may hide code paths that exfiltrate credentials or modify remote repositories beyond what reviewers expect.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill omits a clear warning that it will write files and publish changes automatically, despite being scheduled and capable of mutating site content. Lack of disclosure increases the chance of silent or surprising modifications, especially in unattended execution contexts.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal