Security audit

Llm Chain

Security checks across malware telemetry and agentic risk

Overview

The skill is a local plaintext LLM-workflow logbook, but its package metadata presents it as LangChain4j/Java and it can retain sensitive prompts or experiment notes on disk.

Install only if you want a local plaintext logbook, not a Java LangChain4j integration. Avoid entering API keys, customer data, private prompts, proprietary code, or confidential fine-tuning details unless you are prepared to manage and delete the files under ~/.local/share/llm-chain. Verify the installed llm-chain command maps to the reviewed script.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file content documents an 'LLM Chain' Bash CLI, while the manifest advertises a Java LangChain4j library. This is a true security issue because skill identity deception undermines informed consent and review, making it easier for a user or agent to invoke filesystem-writing functionality they did not expect from the declared package.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The implementation materially contradicts the declared skill purpose: instead of providing a Java LangChain4j integration, it installs a Bash CLI that captures arbitrary user-supplied text and stores it locally. That mismatch is a strong indicator of deceptive packaging and increases the chance that users will provide sensitive prompts, credentials, or proprietary data to a component they would not have installed if accurately described.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script creates a persistent data directory and appends activity and command contents to log files even though that behavior is not necessary for the claimed Java library functionality. This can silently retain sensitive prompts, API keys, internal project details, or other confidential inputs on disk where other local users, backup systems, or later processes may access them.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly encourages free-text logging of prompts, benchmarks, fine-tuning notes, usage, and reports, then stores and exports that data in plain text, but it does not clearly warn that sensitive or proprietary information may be retained and discoverable later. In an LLM workflow context, these inputs often contain secrets, internal prompts, model settings, customer data, or evaluation artifacts, so silent persistence materially increases privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: At this call site and throughout similar handlers, all user input is concatenated and written verbatim to per-command log files without any warning, consent, or sanitization. In the context of an LLM-related tool, users may paste prompts, tokens, model outputs, customer data, or proprietary code, so silent persistence creates a meaningful confidentiality and privacy risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.