Back to skill

Security audit

openmath-submit-theorem

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed OpenMath/Shentu submission helper that uses local CLI signing and blockchain transactions in a purpose-aligned way, though users must review commands before broadcasting.

Install only if you intend to submit OpenMath proofs on Shentu. Before broadcasting, verify the theorem ID, proof file, prover and agent addresses, feegrant limits, RPC endpoint, and the exact shentud binary being used; blockchain submissions may spend fees/deposits and publish proof details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares operational capabilities including shell execution, file reads, and environment-variable use, but does not declare permissions explicitly. This creates a transparency and policy-enforcement gap: a reviewer or runtime may underestimate what the skill can access and execute, increasing the chance of unintended command execution or sensitive local-state exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The stated description focuses on theorem submission, but the skill also validates local configuration, inspects keyring-backed identities, checks authz/feegrant state, queries chain status, and supports a direct-signing mode. This mismatch can mislead users about the breadth of access and operational behavior, especially where local credentials and blockchain signing flows are involved.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document provides copy-pastable commands that generate JSON artifacts and immediately broadcast on-chain transactions with `-y`, but it does not explicitly warn that these steps spend funds, use delegated authz/feegrant privileges, and write local files containing transaction payloads and proof material. In an agent skill context, this omission is risky because users or downstream automation may execute the commands without fully understanding that they cause irreversible blockchain actions and create sensitive local artifacts.

Unvalidated Output Injection

High
Category
Output Handling
Content
errors: list[str] = []
    for candidate in shentud_binary_candidates():
        try:
            result = subprocess.run(
                [candidate, "version"],
                capture_output=True,
                text=True,
Confidence
86% confidence
Finding
subprocess.run( [candidate, "version"], capture_output

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.