Security audit

Loop Anything Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed multi-review workflow that creates local review artifacts and runs a small local validator, with no evidence of deception, exfiltration, or destructive behavior.

Install only if you want an agent to run multi-pass reviews that may be slower and more expensive than normal. Use explicit invocation for important deliverables, and avoid sensitive documents unless you trust the platform's subagent isolation and are comfortable with local manifest and reviewer-output files being created.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill instructs the agent to read multiple local files such as templates, references, manifests, and reviewer outputs, but it does not declare any permissions to do so. That creates an implicit file-read capability gap where operators may not realize the skill can access workspace contents, and if reused in a broader context it could read unintended local files or sensitive project data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill claims to improve deliverables through multi-agent review, but it also directs execution of local validation steps over manifests and reviewer text files, including reading disk files and invoking a Python script. This mismatch hides material behavior from users and reviewers, reducing informed consent and making it easier for the skill to perform unexpected local inspection or script execution under the guise of a review workflow.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The README states that the skill 'activates automatically' when relevant, but it does not define clear triggering boundaries or require explicit user consent. In agent ecosystems with heuristic skill loading, this can cause the review workflow to run on ordinary requests, potentially increasing token use, exposing user content to extra reviewer contexts, or altering task behavior unexpectedly.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The suggested phrase 'Loop-review this [document / plan / decision] — I need it to be bulletproof' is broad and close to normal user language, making accidental invocation plausible. In multi-skill environments, generic trigger wording can collide with unrelated requests and cause unintended execution of an expensive or behavior-altering workflow.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The Chinese text similarly says the skill will auto-activate 'when needed' without defining what counts as needed. This creates the same unintended invocation risk for Chinese-language users and broadens the affected surface across locales.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The Chinese suggested invocation is generic and can overlap with ordinary requests for review or feedback. In platforms that match skills by intent rather than exact command names, this ambiguity can trigger the skill unintentionally and expose content to unnecessary processing rounds.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal