Proof Agent

Security checks across malware telemetry and agentic risk

Overview

This verification helper is purpose-aligned and disclosed, but users should know its fact-check script can make outbound lookups for content found in files.

Install if you want a manual verification workflow for code changes. Before running the fact-check script, review input files for private URLs, internal package names, unreleased repository references, or secrets, because those identifiers may be checked against external services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill describes shell-capable scripts (`scripts/verify.sh` and `scripts/fact-check.sh`) but declares no permissions, creating a hidden capability gap between what the skill appears authorized to do and what it instructs an agent to execute. This is dangerous because operators or enforcement layers may treat the skill as low-privilege while it actually performs command execution, git inspection, and likely network-backed checks through shell scripts.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared description says the skill performs adversarial verification by spawning an independent verifier, but the content also includes git history inspection, sensitive-file detection, network fact-checking, and prompt generation instead of actual verifier isolation/enforcement. This mismatch can mislead users and security controls about the skill's real behavior, increasing the chance of over-trust, unintended data exposure to subprocesses, and unsafe execution of shell/network actions under a benign-sounding label.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script extracts URLs, npm package/version strings, and GitHub Action identifiers from arbitrary input files and sends them to external services via curl without an explicit warning, consent gate, or offline mode. In a verification skill, input files may contain confidential internal URLs, private package names, or unreleased repository references, so running the script can leak sensitive metadata to third parties and trigger unintended outbound requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal