Dev Serve

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate dev-server helper, but it automatically changes project and Caddy configuration and exposes services with limited safeguards.

Install only if you are comfortable with a shell helper that can run project commands, start tmux sessions, edit Vite config, modify and reload your Caddyfile, and expose dev servers on your domain. Use it only with trusted repos, keep repo names and DEV_SERVE_DOMAIN DNS-safe, back up your Caddyfile, firewall raw dev ports, and clean up with dev-serve down when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill clearly describes shell-capable behavior such as copying executables, starting tmux sessions, probing ports, and reloading Caddy, yet it declares no permissions. That mismatch can mislead users and orchestration systems about the skill's actual capabilities, increasing the chance of unintended command execution or unsafe approval flows.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The declared purpose says the skill starts and manages dev servers, but the documented behavior also modifies repository files, edits the Caddyfile/dashboard content, and performs active network probing. This broader behavior increases risk because users may authorize the skill expecting simple service management, while it can also alter source/configuration state and local reverse-proxy routing.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script modifies application source files by auto-patching Vite config, which exceeds the stated scope of merely starting and exposing dev servers. This can silently alter repository code, introduce persistent config changes, and create unintended exposure by expanding allowed hosts without explicit user approval.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The DEV_CMD environment variable is executed as an arbitrary shell command via tmux send-keys, allowing the skill to run any command, not just a dev server. In an agent or automation context, this becomes a command-execution primitive that can perform destructive local actions or data exfiltration under the user's privileges.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Automatically patching `vite.config.*` is a source-code/configuration modification, but the skill does not present this as a prominent warning before use. Hidden or weakly disclosed write behavior is dangerous because it can surprise users, change application behavior, and introduce hard-to-audit diffs in trusted repositories.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal