Back to skill

Security audit

Agent Security Dlp

Security checks across malware telemetry and agentic risk

Overview

This DLP skill is security-focused and mostly purpose-aligned, but it stores sensitive checked content locally by default and some advertised protections are weaker than the documentation implies.

Review and configure logging before installing. Avoid using real secrets, PII, or private memory data with this skill unless audit logging is disabled or redacted, and make integrations treat require_approval and blocked fields carefully rather than assuming the skill enforces all advertised protections automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documentation does not declare permissions, yet the implementation reportedly performs file writes for persistent audit logging. Undeclared write capability is risky because it expands the skill's effective privileges beyond what a reviewer or operator would expect, and log files can accumulate sensitive prompts or outputs on disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
This is a true security issue because the documented behavior materially differs from the implemented behavior, including persistent log writing, extra commands, and a wrapper that does not actually separate input/output checks as claimed. In a security product, such mismatches can cause operators to rely on protections that are not really enforced, while sensitive data may be written to disk without clear disclosure.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
`check_input()` is documented as performing input validation, but it routes to the same generic `check()` flow, which unconditionally calls `self.dlp.check_output(text)`. In a DLP skill whose stated purpose is protecting both ingress and egress, using output-only policy for input handling can leave inbound prompt-injection, secret-seeding, or unsafe tool-trigger content insufficiently filtered while giving callers a false sense of protection.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The audit logger persists full result objects for input, memory, and tool checks, which include raw user text, memory contents, and tool parameters. In a DLP component, storing the very sensitive data being inspected materially expands the blast radius: secrets and PII that should only be transiently scanned become durable local records that can later be exposed, copied, or misused.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The get_logs capability reads back stored audit entries, which may contain previously logged sensitive input, memory data, and tool parameters. This turns the module from a filter into a retrievable datastore for secrets/PII, increasing the chance of secondary disclosure through CLI use or any caller that invokes the method.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Writing user-provided input and memory-derived data to disk without clear notice or minimization creates a privacy and data-exposure risk. Because this module processes exactly the categories of information DLP systems are supposed to protect, silent persistence makes the context more dangerous, not less, by creating a new sensitive repository on the host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The CLI accepts arbitrary user text and routes it through methods that automatically write audit entries, so a user can unknowingly cause sensitive content to be stored on disk. In a command-line environment this is particularly risky because users often paste tokens, credentials, or records directly into commands, and shell history plus audit logs can compound exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.