Back to skill

Security audit

Cpu

Security checks across malware telemetry and agentic risk

Overview

This is advertised as a CPU monitor, but it actually stores searchable local operations notes, so users should review it before installing.

Treat this as a local plaintext operations journal, not a real CPU monitor. Do not enter passwords, tokens, private incident notes, sensitive hostnames, or backup details unless you are comfortable storing them under ~/.local/share/cpu and possibly exporting them later. Use a separate trusted system tool if you need actual CPU load, temperature, or top-process data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior materially diverges from the stated CPU-monitoring purpose: instead of inspecting live CPU metrics, the skill acts as a generic append-only operations logger and search/export utility. This can cause an agent or user to invoke it under false assumptions, leading to unintended collection, retention, and later disclosure of arbitrary operational or sensitive text in local logs.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest presents a CPU monitoring tool, but the body describes a broad sysops journaling toolkit with unrelated operational logging features. This deceptive interface can route sensitive system-operation content into local storage when the caller expected harmless telemetry collection, increasing risk of misuse and data exposure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Backup, restore, fix, and cleanup logging capabilities are outside the stated CPU-monitoring scope and encourage use for broader operational workflows. In context, this scope expansion is dangerous because it normalizes recording potentially sensitive incident-response, backup, and remediation details into plain-text local logs without clear purpose limitation.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
Branding the skill as 'Cpu' while describing a general sysops toolkit obscures its true function and can mislead skill-selection logic or human operators. In an agent setting, misleading identity increases the chance that broad logging features are invoked in contexts where only CPU inspection was intended.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises CPU monitoring and process ranking, but the implementation does not inspect system CPU state at all; it simply stores arbitrary user-supplied text and replays it later. This is dangerous because it creates a deceptive capability boundary: users or higher-level agents may trust fabricated 'monitoring' output, and the tool unnecessarily collects and persists arbitrary input under the guise of system telemetry.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The help text exposes broad operational verbs such as backup, restore, cleanup, fix, and benchmark that are unrelated to the stated CPU-monitoring scope. Even though these branches currently just log input, the overbroad interface increases the chance that users or orchestrating agents invoke the tool for sensitive operational tasks it was never meant to perform, creating confusion and expanding the social-engineering surface.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
Describing the script as a generic 'sysops tool/toolkit' conflicts with the manifest's narrow CPU-monitoring purpose and signals broader administrative intent than declared. In agentic environments, such misleading labeling can cause the tool to be selected for tasks outside its approved scope, weakening user understanding and policy controls.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documented commands include operational actions like fix, cleanup, backup, and restore, which do not match the manifest's CPU-monitoring intent. This mismatch is dangerous because agents often rely on help text for capability discovery, so the tool may be used in contexts involving maintenance or recovery workflows where inaccurate behavior could mislead operators or leak persisted data.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The broad 'When to Use' guidance invites generic system-operations use, not constrained CPU diagnostics. In agent environments, overly broad activation guidance can cause the skill to be selected for unrelated tasks, increasing unnecessary data logging and retention of operational details.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The command set uses broad verbs like scan, report, fix, cleanup, backup, and restore without clear constraints, which encourages ambiguous or overly powerful use beyond CPU monitoring. This is risky because callers may supply arbitrary sensitive content that becomes persisted under misleadingly innocuous command names.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These command handlers persist arbitrary user-provided input to local log files without clearly informing the user beforehand. In practice, users may paste process details, hostnames, credentials, internal incident notes, or other sensitive operational data, which then becomes long-lived local storage and can later be surfaced by other commands.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The export routine copies all previously stored logs into new export files without an upfront warning that historical user input will be aggregated and duplicated on disk. This increases exposure because sensitive content becomes easier to exfiltrate, share, or leave behind in multiple files and formats.

Ssd 3

Medium
Confidence
96% confidence
Finding
The tool persistently records arbitrary user input and later exposes it through search, recent, status, and export functions, creating a simple local data-retention and disclosure mechanism. In the context of a purported CPU-monitoring skill, this behavior is more dangerous because operators may not expect that diagnostic input or pasted system details are being stored and replayed across commands.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.