Back to skill

Security audit

Nm Sanctum Tutorial Updates

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent tutorial generator, but it can run project-supplied commands, rebuild/install binaries, start background processes, and edit repository docs without strong confirmation boundaries.

Install only if you intend to let the agent modify tutorial files and run commands from the target repository. Use it in trusted repos, review tape and manifest files first, avoid --skip-validation, and require an explicit preview before rebuilds, recordings, README/SUMMARY edits, or cargo install/make build steps.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly directs the agent to extract commands from tape files and execute each one locally via `timeout 5s bash -c "$cmd"`. Because tape content is treated as input rather than trusted code, this creates an arbitrary command-execution path during a validation phase that should be non-destructive. In this context, even short-lived commands can exfiltrate data, modify files, spawn background processes, or invoke network access.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill goes beyond tutorial generation by detecting build systems, checking binary freshness against Git, and rebuilding/installing binaries with `cargo install` or `make build`. Those actions can execute untrusted project build scripts, alter the local environment, and install artifacts into user PATH locations, which expands the skill's authority beyond documentation refresh. In adversarial or merely unsafe repositories, builds are a common code-execution boundary.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The module instructs the agent to modify README content in addition to generating tutorial markdown, which expands behavior beyond the stated scope of the skill. Scope expansion is risky because an agent may perform broader repository edits than the user expects, increasing the chance of unintended or unauthorized documentation changes.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The instructions include updating `book/src/SUMMARY.md`, which is broader than the declared purpose of generating or updating tutorials. This kind of undocumented side effect can surprise users and cause navigation or documentation structure changes outside the expected target files.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger list contains broad terms such as `tutorial`, `gif`, `playwright`, `documentation`, and `demo`, which are common in normal development conversations. Overly broad triggers increase the chance the skill activates in unrelated contexts and begins executing a high-impact workflow involving file modifications, recordings, validation, and rebuild logic. Given the skill's powerful behavior, accidental invocation materially raises risk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The overview describes a pipeline that records sessions, generates GIFs, composes media, and generates markdown into `docs/` and `book/`, but it does not prominently require warning or confirmation before modifying repository contents. Because the skill writes multiple artifacts and can update README/SUMMARY files, users may trigger substantial repo changes without clear consent boundaries. The risk is amplified by the broad triggers and automation-heavy design.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README update flow uses in-place modification commands without safeguards, previews, backups, or clear warnings about overwriting content. Even if intended for convenience, this can corrupt README structure or delete user-authored text if section matching behaves unexpectedly.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
| Flag | Behavior |
|------|----------|
| `--validate-only` | Run validation without generating GIF |
| `--skip-validation` | Bypass validation for rapid regeneration |

### Validation Exit Criteria
Confidence
86% confidence
Finding
--skip-validation

Unsafe Defaults

Medium
Category
Tool Misuse
Content
| Flag | Behavior |
|------|----------|
| `--validate-only` | Run validation without generating GIF |
| `--skip-validation` | Bypass validation for rapid regeneration |

### Validation Exit Criteria
Confidence
81% confidence
Finding
skip-validation

Tool Parameter Abuse

High
Category
Tool Misuse
Content
|------|---------|
| 0 | Validation passed |
| 1 | Validation failed (errors found) |
| 2 | Validation skipped (--skip-validation) |

## Error Message Format
Confidence
92% confidence
Finding
--skip-validation

Unsafe Defaults

Medium
Category
Tool Misuse
Content
|------|---------|
| 0 | Validation passed |
| 1 | Validation failed (errors found) |
| 2 | Validation skipped (--skip-validation) |

## Error Message Format
Confidence
89% confidence
Finding
skip-validation

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.