变更方案自动审核助手

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the advertised deployment-plan review, but it keeps local copies and history of submitted deployment documents.

Install only if you are comfortable with deployment plans, spreadsheets, generated reports, and issue history being retained locally under the skill directory. Use it on a trusted machine, protect or periodically delete data/raw, output, and the tracking workbook when no longer needed, and install Python dependencies from trusted sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The documentation claims the skill must refuse to parse when only one required file is supplied, but the exposed CLI and programmatic paths do not show equivalent enforcement. If downstream callers invoke the engine directly, they may bypass the guardrail and process incomplete or unintended inputs, producing misleading results or violating workflow expectations.

Intent-Code Divergence

Medium

Confidence: 78% confidence
Finding: The workflow says the skill must wait when the user selects A or B in the clarification step, but the direct-call path still presents unconditional execution. This inconsistency can cause the skill to continue processing before user intent is resolved, reducing reliability and potentially processing data under a different scope than the user chose.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The code silently copies all user-supplied plan, deployment, and management files into a persistent raw archive directory before processing. These documents likely contain infrastructure topology, IPs, hostnames, and operational details, so undisclosed retention materially increases confidentiality risk and data exposure surface.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill appends findings from every run into a cumulative master tracking workbook, creating a persistent cross-run history of potentially sensitive operational issues. This expands data retention beyond the immediate reporting purpose and can expose prior customers' or environments' information to later users or administrators if the file is accessible.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill states that it will automatically archive original inputs and process files, but it does not clearly notify users about retention before handling potentially sensitive deployment documents. In this context, the files may contain infrastructure topology, IPs, hostnames, and operational details, so undisclosed retention materially raises confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Copying sensitive input documents into a raw archive without user-facing warning or consent is a privacy and confidentiality issue, especially for deployment plans and management inventories. Because the archive preserves the original files intact, any compromise or unintended access exposes full source documents rather than just derived report snippets.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The instructions mandate automatic archival and persistent retention of user-supplied documents and process artifacts without any stated consent, minimization, or retention limit. Because the skill processes deployment plans and spreadsheets, persistent storage can expose sensitive infrastructure data long after the review is complete.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The documented code copies every provided source document into a persistent raw archive before processing. This creates duplicate sensitive files on disk, increasing the attack surface for local compromise, unauthorized access, accidental disclosure, and excessive retention of customer or production-environment data.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill requires all raw inputs, generated reports, and process files to remain under a persistent skill directory, implying long-term retention by default. In the context of deployment reviews, this can accumulate a valuable corpus of infrastructure and operations data that would be highly useful to an attacker if accessed.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The function returns parsed plan, deployment, and management structures and stores raw inputs and output paths, exposing sensitive document contents and metadata beyond the minimum needed to deliver a report. This violates data minimization principles and increases the chance that downstream callers, logs, or adjacent components can access confidential infrastructure details.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill writes user-derived evidence, IPs, hostnames, issue descriptions, and recommendations into persistent Word and Excel reports, including a master tracking file. In this operational review context, that data is sensitive because it documents infrastructure state and weaknesses, so broad persistence increases disclosure risk if the output directory or shared workbook is accessible.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal