Back to skill

Security audit

Aero

Security checks across malware telemetry and agentic risk

Overview

Aero appears purpose-aligned for AEO analysis, but it needs review because it can guide agents toward production WordPress editing, sensitive credentials, destructive page operations, and durable memory with incomplete guardrails.

Install only if you intend to use Aero with AEO analytics and optional website-editing workflows. Before connecting it to production, keep .mcp.json secrets out of source control, use least-privilege staging and production credentials, require backups or exports before destructive WordPress actions, and require human approval before production edits or script insertion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The frontmatter says the skill should 'wake unprompted' on an event, which creates an implicit self-activation path not clearly scoped to explicit operator intent. In an agent system, ambiguous autonomous triggers can cause unintended execution, surprise actions, or follow-on tool use based solely on background events rather than a user request.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The frontmatter description says to read this file when asked to produce a client-facing summary, which is broad enough to match many generic reporting requests. In an agentic system, vague activation boundaries can cause the skill to be pulled into contexts the user did not intend, increasing the chance of unnecessary tool use, incorrect report selection, or disclosure of project data in the wrong workflow.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The instruction to prefer the bundled report when a client asks for a 'current state' or 'AEO report' uses ambiguous trigger phrases without guardrails. Because those phrases are common and underspecified, an orchestrating agent may over-apply this behavior, generating or fetching a full report when the user only wanted a narrow answer, which can expand data exposure and reduce predictability.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide instructs users to place Basic Authorization credentials in a project-root `.mcp.json` and shows production and staging endpoints, but it does not warn about secret exposure through source control, local file leakage, logs, screenshots, or reuse of high-privilege WordPress application passwords. In this context, the credential grants remote content-management access to WordPress/Elementor, so accidental disclosure could enable unauthorized page modification or broader site administration depending on account privileges.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The guide enumerates destructive operations such as `remove-element` and `delete-page-content` and discusses replaying changes to production, but it does not pair them with safeguards like backups, confirmation steps, versioning, or rollback guidance. In a content-management skill with persistent memory and production endpoints, omission of these precautions increases the chance of irreversible content loss or unintended site changes from operator error or mis-targeted automation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.