Back to skill

Security audit

UniFi Network Diagnostics

Security checks across malware telemetry and agentic risk

Overview

This skill runs disclosed, bounded, read-only UniFi and network diagnostics, with local configuration writes gated on explicit owner approval.

Install only if you are comfortable with a skill running local read-only network checks and querying your configured UniFi helper. Do not share its diagnostic output publicly without reviewing it, and only approve the --write option if you want it to remember the local helper path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes shell scripts and network diagnostic commands but does not declare permissions, which obscures its real execution capabilities from reviewers and policy enforcement. In a skill that performs autonomous local discovery and shell-based diagnostics, missing permission declarations increase the chance of unintended command execution without appropriate gating or user awareness.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrase 'vague network-health questions' is overly broad and can cause the skill to activate in situations where the user did not clearly request local network diagnostics. Because the skill can run shell-based tests and local helper discovery autonomously, overbroad activation raises the risk of unnecessary local probing and privacy-invasive data collection.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Autonomous Follow-Up Tests

Run safe follow-ups without asking when they help isolate the fault:

- Repeat the bundled diagnostic script to check whether packet loss, DNS timing, or gateway reachability is transient.
- Use bounded `ping`, `dig`, `getent`, `ip route`, `resolvectl status`, or `nmcli device show` checks if installed.
Confidence
86% confidence
Finding
without asking

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.