Back to skill

Security audit

fofamap

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed FOFA reconnaissance skill with local outputs, optional memory, live checks, and explicitly gated Nuclei scanning; it is not risk-free but the sensitive behavior is largely purpose-aligned and documented.

Install only if you are comfortable giving it FOFA credentials and storing recon artifacts locally. Use it for assets you are authorized to investigate, disable learning with FOFAMAP_DISABLE_LEARNING=1 if retained run history is not acceptable, and do not run the Nuclei modes or update command unless you intentionally want active scanning or local tool mutation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_nuclei_scan(nuclei_path: str, targets_file: str, extra_args: str, output_file: str) -> Dict[str, Any]:
    cmd = [nuclei_path, "-l", targets_file, "-o", output_file, "-stats"] + shlex.split(extra_args or "")
    completed = subprocess.run(cmd, capture_output=True, text=True)
    summary = parse_nuclei_log(output_file)
    return {
        "ok": completed.returncode == 0 or Path(output_file).exists(),
Confidence
94% confidence
Finding
completed = subprocess.run(cmd, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
results: List[Dict[str, Any]] = []
    ok = True
    for cmd in commands:
        completed = subprocess.run(cmd, capture_output=True, text=True)
        results.append(
            {
                "command": " ".join(cmd),
Confidence
84% confidence
Finding
completed = subprocess.run(cmd, capture_output=True, text=True)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest presents a constrained recon tool, but early documentation already expands scope to self-improvement/memory and active scanning workflows. This creates a trust and safety gap: operators may authorize a passive recon assistant while unknowingly enabling persistent storage and active security testing features.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The local memory and run-reflection behavior is not necessary for a basic FOFA recon wrapper and introduces retention of prior task inputs, outputs, and inferred patterns. In a security context, those artifacts may include sensitive targets, credentials-adjacent operational data, or internal investigative history that persists beyond the original user session.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Allowing `project-run --run-nuclei` extends the skill from passive FOFA intelligence into active vulnerability scanning, which materially changes legal, operational, and safety risk. In the wrong context, that can generate unauthorized traffic against third-party systems and exceed the user's original intent or approval boundary.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest advertises capabilities beyond the stated FOFA recon scope, including monitoring, local memory, live checks, exports, and report templates. This kind of scope expansion can cause downstream agents or users to over-trust the skill with actions or data handling it was not explicitly approved for, increasing the chance of unintended data retention, broader recon activity, or misuse of live external interactions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The playbook materially expands the skill from simple FOFA recon into monitoring, reporting, and recurring workflow orchestration, which is not clearly disclosed in the manifest description. That scope drift increases the chance of unexpected data retention, automation, and user misuse because operators may invoke capabilities they did not knowingly authorize or review.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Including red-team and attack-infrastructure hunting guidance broadens the skill from passive asset discovery into offensive-oriented target selection support. In a recon skill, this context makes misuse easier because the documentation directly points users toward suspicious-infrastructure hunting workflows that exceed the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documented local memory and reflection features introduce persistent storage of prior targets, hunt patterns, and operational lessons without that behavior being justified in the stated FOFA recon purpose. Persistent security-recon memory can accumulate sensitive targeting context and create privacy, retention, and cross-task data leakage risks if reused in later runs.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The setup documentation advertises `project-run --run-nuclei`, which extends the skill from passive FOFA reconnaissance into active vulnerability scanning. That is a real scope expansion because active scanning can touch targets directly, create legal/authorization risk, and increase the chance an agent uses the skill for actions beyond the stated 'cautious follow-up vulnerability triage' boundary.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The notes mention a standalone `nuclei-run` mode that is not reflected in the skill description, creating hidden capability beyond the advertised FOFA recon purpose. Undocumented offensive-adjacent functionality is dangerous because downstream users or agents may invoke active scanning without realizing the operational and compliance implications.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill description says it is for deterministic FOFA API recon, but the implementation also performs active Nuclei scans, updates tooling, and probes target hosts. That capability expansion materially changes the trust boundary from passive data retrieval to active offensive/security testing, which is dangerous in an autonomous agent context because it can trigger unauthorized scanning and operational impact.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Executing local Nuclei subprocesses is not justified by the stated purpose of deterministic FOFA API calls. In practice this lets the skill pivot from search results to active vulnerability scanning and local process execution, increasing the chance of misuse, policy violations, and unintended impact on third-party systems.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill encourages creation of exports, reports, snapshots, and project artifacts but does not clearly warn that files will be written locally and may persist after execution. That can surprise users and leak sensitive recon data into shared workspaces, logs, or backup systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup section requests FOFA credentials and the workflow sends user-supplied queries and targets to FOFA, but this transmission is not clearly disclosed as a privacy and data-sharing event. Users may unintentionally submit sensitive targets, internal domains, or investigative hypotheses to an external service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented local memory and learning artifacts imply disk retention across runs, but the user is not given a strong warning that prior task data may be preserved and reused later. For security investigations, retained history can expose sensitive targeting patterns, customer assets, or analyst notes to future users or processes on the same system.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The default prompt is broad and action-oriented, encouraging routing of loosely related requests into recon, monitoring, paging, query branching, self-reflection, live checks, exports, and reporting. Combined with implicit invocation, this increases the risk of unintended activation and execution in situations where the user did not clearly request these behaviors, potentially expanding recon activity or causing unnecessary handling of sensitive asset data.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The playbook explicitly documents persistent storage of operational run history, reflections, and aggregated lessons on disk, but it does not warn about retention, sensitivity, or access control. In a security recon skill, these artifacts can contain targets, query strategies, exposure observations, and operator notes, so unguarded local persistence increases the chance of inadvertent disclosure if the workspace is shared, synced, or later exfiltrated.

VirusTotal

1/63 vendors flagged this skill as malicious, and 62/63 flagged it as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.