Back to skill

Security audit

Flow

Security checks across malware telemetry and agentic risk

Overview

Flow appears legitimate, but it can automatically create and register executable workflow files from broad user input without enough review controls.

Install only in an isolated environment, review generated files in the flows directory and skill_registry.json before running or reusing them, consider disabling automatic registry updates, and pin dependencies to reviewed safe versions before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises orchestration, registry search, security scanning, composition, and CLI execution patterns that imply file I/O, network access, and possible shell-adjacent behavior, yet the manifest declares no permissions or operational constraints. This creates a capability-transparency gap: users or calling systems cannot accurately assess or sandbox what the skill may do, increasing the risk of over-privileged execution and unsafe composition.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The code accepts an arbitrary path and recursively walks directories, opening and reading all Python files it finds. In an agent context, this creates a filesystem inspection capability that can expose sensitive source code or secrets from locations unrelated to the stated workflow-orchestration purpose, especially if an attacker can influence the scan path.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill is described as accepting broad natural-language build requests and compiling them into workflows without clear trigger boundaries, approval gates, or scope restrictions. In an orchestration skill, vague activation criteria can cause unintended invocation for risky requests, leading to unsafe workflow generation or execution paths that exceed user expectations.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The usage examples rely on generic prompts such as building scrapers or monitoring automations, with no activation specificity, safety boundaries, or examples of disallowed behavior. Because this skill orchestrates other components, permissive example phrasing can normalize open-ended requests and increase the chance that downstream capabilities are assembled into workflows that perform sensitive actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The template-based generator writes arbitrary template-supplied code directly into a Python file without validation, sandboxing, trust checks, or any disclosure. In the context of a skill orchestrator that compiles reusable workflows, templates are effectively code inputs; if an attacker can influence them, this becomes a straightforward path to persistence of malicious code for later execution.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The directory walk silently reads arbitrary .py files without any user-facing notice or consent mechanism. While it is limited to Python files, this still enables unannounced inspection of local codebases and may surface proprietary logic or embedded credentials in scan results.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The UI invites users to build workflows from natural-language input and explicitly says Flow will compose and register them, but it does not provide a clear warning that this action may create files or mutate persistent registry state. In a system that generates and saves reusable workflows, missing informed-consent and side-effect disclosure increases the risk of users unintentionally authoring or storing unsafe automation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The build action sends unrestricted free-form input directly into the orchestration pipeline with progress text indicating parsing, searching, scanning, composing, and registry updates, yet the UI does not warn that the resulting workflow may compose executable code or have filesystem/system effects. In the context of a skill orchestrator that creates reusable workflows, this omission can facilitate unsafe execution or persistence of harmful logic because users are not prompted to review or approve high-impact actions.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Flow - Intelligent Skill Orchestrator Dependencies

# Core dependencies
streamlit>=1.28.0
pandas>=2.0.0

# Natural Language Processing
Confidence
91% confidence
Finding
streamlit>=1.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Core dependencies
streamlit>=1.28.0
pandas>=2.0.0

# Natural Language Processing
nltk>=3.8.0
Confidence
91% confidence
Finding
pandas>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=2.0.0

# Natural Language Processing
nltk>=3.8.0
spacy>=3.6.0

# Security scanning
Confidence
95% confidence
Finding
nltk>=3.8.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Natural Language Processing
nltk>=3.8.0
spacy>=3.6.0

# Security scanning
bandit>=1.7.5
Confidence
90% confidence
Finding
spacy>=3.6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
spacy>=3.6.0

# Security scanning
bandit>=1.7.5
safety>=2.3.0

# Code analysis
Confidence
88% confidence
Finding
bandit>=1.7.5

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Security scanning
bandit>=1.7.5
safety>=2.3.0

# Code analysis
ast-grep>=0.12.0
Confidence
88% confidence
Finding
safety>=2.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
safety>=2.3.0

# Code analysis
ast-grep>=0.12.0
pylint>=2.17.0
Confidence
87% confidence
Finding
ast-grep>=0.12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Code analysis
ast-grep>=0.12.0
pylint>=2.17.0
Confidence
87% confidence
Finding
pylint>=2.17.0

Known Vulnerable Dependency: streamlit==1.28.0 — 5 advisory(ies): CVE-2026-33682 (Unauthenticated SSRF Vulnerability in Streamlit on Windows (NTLM Credential Expo); GHSA-8qw9-gf7w-42x5 (Minor fix to previous patch for CVE-2022-35918); CVE-2024-42474 (Path traveral in Streamlit on windows) +2 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
streamlit==1.28.0

Known Vulnerable Dependency: nltk==3.8.0 — 10 advisory(ies): CVE-2026-33236 (NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwr); CVE-2026-0847 (NLTK has a Path Traversal issue); CVE-2025-14009 (NLTK has a Zip Slip Vulnerability) +7 more

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
nltk==3.8.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
skill_scanner_integration.py:50