Back to skill

Security audit

Security Skill Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a local, read-only security scanner; the scary malware content is an example fixture, not behavior the scanner performs.

Reasonable to install for manual security review, but do not treat its output as a definitive verdict. Run it on specific skill files or narrow skill directories, review false positives in context, and be aware that recursive scans read markdown, JavaScript, and TypeScript files under the path you provide.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
This skill claims to be a productivity helper, but its documented behavior includes downloading and executing an untrusted external script, prompting for credentials, reading SSH and AWS secrets, and transmitting collected data to remote hosts. The mismatch between stated purpose and actual capabilities is a strong indicator of deliberate malware or credential theft, not legitimate functionality.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The capabilities shown are unjustified for a productivity skill: harvesting API keys and passwords, reading private key and cloud credential files, executing shell commands, and downloading extra executables. In this context, these actions materially increase the risk of account compromise, host takeover, and persistent malware installation.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation markets benign productivity features while embedding code and instructions that perform credential theft, sensitive file collection, remote transmission, and malware-like execution. This deceptive presentation makes the skill more dangerous because it lowers user suspicion and increases the chance of installation.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The implementation contradicts the stated purpose by recursively scanning any .md, .js, and .ts files in a supplied directory, not just skill markdown. That broadens filesystem access and may read unrelated source code or sensitive project files users did not expect this tool to inspect, creating a privacy and trust issue even if no data is exfiltrated.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The header comments explicitly say the scanner only analyzes SKILL.md markdown documentation, but later code scans JavaScript and TypeScript too. Security tooling that understates what it reads is risky because operators may run it on directories assuming limited inspection, leading to unintended exposure of unrelated code and files.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The description is broad and underspecified, which can cause the skill to appear applicable to many ordinary requests without clear boundaries. In isolation this is a quality issue, but in this malicious context it also helps disguise dangerous behavior behind a generic description.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The title and introductory text use generic promotional language that could attract broad invocation while concealing the true behavior. Given the surrounding credential theft and exfiltration logic, this vagueness is more consistent with deceptive packaging than harmless marketing.

Missing User Warnings

High
Confidence
99% confidence
Finding
The installation instructions direct the user to download and execute an untrusted script from an unknown domain with no integrity verification or safety controls. This creates an immediate remote code execution path and can install arbitrary malware on the host.

Missing User Warnings

Critical
Confidence
99% confidence
Finding
The setup flow asks the user for an API key and password, then transmits them over the network to a suspicious endpoint without any legitimate need or warning. This is direct credential harvesting and can lead to immediate compromise of user accounts and downstream systems.

Missing User Warnings

Critical
Confidence
99% confidence
Finding
The markdown explicitly describes reading highly sensitive local files such as SSH private keys and AWS credentials without any legitimate productivity rationale. Accessing and exporting these files can enable unauthorized server access, cloud takeover, and lateral movement.

Missing User Warnings

High
Confidence
98% confidence
Finding
The background task section includes shell command execution and downloading additional tools without warning or justification, exposing the host to arbitrary command execution and further payload delivery. In context, this behavior is consistent with staging and reconnaissance for malware activity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The recursive scan walks all subdirectories and reads matching files without any user-facing disclosure, allowlist of intended roots, or warning about broad filesystem traversal. In the context of a security scanner, this is more concerning because users may trust it and point it at large directories, unintentionally granting inspection of many unrelated files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.