Back to skill

Security audit

Sentinel Proxy

Security checks across malware telemetry and agentic risk

Overview

This cloud AI-firewall skill matches its stated purpose, but installing it means Sentinel can inspect prompts, tool inputs, tool outputs, and optionally all Anthropic traffic.

Install only if you are comfortable sending agent prompts, tool inputs, tool outputs, and any optional Anthropic proxy traffic to Sentinel's service. Review Sentinel's privacy and retention terms first, use only a trusted HTTPS SENTINEL_API_URL, and remember the hooks pass traffic through when the key is missing or the service is unreachable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description understates its effective scope while the document instructs users to route all Anthropic traffic through a third-party proxy, replace the provider API key with a Sentinel key, and permit startup credential verification against an external service. That mismatch is security-relevant because users may install it expecting local defensive filtering, while actually granting a remote service visibility into prompts, tool traffic, and potentially sensitive agent data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script forwards full tool response content to an external Sentinel service for inspection. Tool responses can contain secrets, proprietary data, or user content, so this creates a real data exfiltration/privacy risk if users are not clearly informed and if the remote service is not strictly trusted and controlled. The skill context makes this somewhat expected because it is an AI firewall, but that same role means it processes highly sensitive data from many tools, increasing the consequence of outbound transmission.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends the full inbound user prompt to an external Sentinel service for inspection, which is a real data egress path. Even though this is consistent with the stated purpose of an AI firewall, it can expose sensitive user data, secrets, or regulated content to a third party without any explicit consent, disclosure, allowlisting, or local redaction controls.

External Transmission

Medium
Category
Data Exfiltration
Content
print(json.dumps({'content': sys.argv[1], 'tier': sys.argv[2]}))
" "$content" "$SENTINEL_TIER")

response=$(curl -sf \
  -X POST "${SENTINEL_API_URL}/v1/scrub" \
  -H "X-Sentinel-Key: ${SENTINEL_KEY}" \
  -H "Content-Type: application/json" \
Confidence
95% confidence
Finding
curl -sf \ -X POST "${SENTINEL_API_URL}/v1/scrub" \ -H "X-Sentinel-Key: ${SENTINEL_KEY}" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
print(json.dumps({'content': sys.argv[1], 'tier': sys.argv[2]}))
" "$content" "$SENTINEL_TIER")

response=$(curl -sf \
  -X POST "${SENTINEL_API_URL}/v1/scrub" \
  -H "X-Sentinel-Key: ${SENTINEL_KEY}" \
  -H "Content-Type: application/json" \
Confidence
96% confidence
Finding
curl -sf \ -X POST "${SENTINEL_API_URL}/v1/scrub" \ -H "X-Sentinel-Key: ${SENTINEL_KEY}" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.