Security audit

Compile Skill

Security checks across malware telemetry and agentic risk

Overview

The skill’s note-compilation purpose is coherent, but it includes broad file-moving behavior and a free-form shell audit command that should be reviewed before use.

Install only if you trust the publisher and intend to let this skill modify the configured markdown vault. Configure the inbox, transit, raw, and state directories narrowly, review any `--audit-cmd` value before it runs, and keep backups or a dry-run process for file moves and metadata rewrites.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly performs filesystem reads/writes and invokes external tooling, yet it declares no explicit permissions boundary. That mismatch is dangerous because operators and policy engines may treat the skill as less privileged than it really is, allowing archival, file moves, and possible network-capable helper execution without clear consent or enforcement.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script executes the contents of --audit-cmd via `bash -lc`, which gives the caller arbitrary shell execution with the privileges of the running agent. In a checkpoint/state-tracking helper for a compile workflow, this is far broader than necessary and creates a direct command-injection/RCE primitive if any untrusted input can reach this argument.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The metadata says the skill compiles notes and archives source material, but it does not prominently warn at invocation time that source markdown and images may be moved out of the inbox. This can lead to unintended destructive or surprising file-state changes, especially because the workflow includes mv/rm-capable tooling and emphasizes automatic archival.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The workflow instructs the agent to move source files, move image assets, write back metadata, append to daily logs, and create structured run logs, but it does not require an explicit user-facing confirmation before those state-changing actions occur. In an agent setting, silent file mutations and logging can cause unintended data movement, archival of the wrong material, or privacy-sensitive information being persisted without the operator clearly authorizing those side effects.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script not only permits arbitrary command execution through --audit-cmd, it does so automatically when marking a step as done and without any explicit confirmation or warning to the operator. In an agent skill context, that increases the chance of silent execution of harmful commands embedded in workflow state or generated by upstream components.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.