Back to skill

Security audit

Kleo Static files

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it asks for powerful server setup and content-publishing authority without enough safeguards around installation, deletion, and sensitive file sharing.

Install only on a server where this skill is allowed to publish and delete hosted content. Avoid the one-line privileged installer unless you first inspect and pin the script to a trusted commit or use the manual install path. Use a dedicated API key, require explicit confirmation before delete, overwrite, clean-deploy, or share operations, and do not rely on basic auth alone for highly sensitive files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples include site and file deletion commands without warning that the actions are irreversible and may destroy hosted data. In an agent skill context, concise command examples can be copied or invoked automatically, increasing the chance of accidental destructive operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide encourages sharing sensitive files over a hosted subdomain protected only by basic auth credentials, without warning about credential handling, logging exposure, weak password practices, or the sensitivity of hosted content. This can lead users to treat the mechanism as a secure secret-sharing system when it is only a minimal access-control layer.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The quick-install command pipes a remote script directly into a privileged shell via `sudo bash`, which gives the remote content immediate root execution without any integrity verification or warning to the operator. In installation documentation, this is especially dangerous because users are likely to copy-paste it verbatim, and any compromise of the source, network path, or repository could lead to full system takeover.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The clean-deploy command unconditionally deletes an existing site before recreating it, with no warning, confirmation, or dry-run safeguard. In an agent-driven workflow, a mistaken site name, bad variable expansion, or prompt-induced misuse could cause irreversible content loss or service disruption on the target subdomain.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.