Back to skill

Security audit

AI Agent Skill Directory

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a curated recommendation catalog, but it also ships under-disclosed Python code that can import external local code and documentation that normalizes force-installing flagged skills.

Review this package before installing, especially brain_enhance.py and test.py. Treat it as a recommendation and promotion catalog, not an independent safety authority, and do not run its test script or follow --force install examples unless you have inspected the target skills in a sandbox.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This helper silently modifies the Python import path to load code from an external workspace location and then queries that external 'company-brain' source at runtime. For a skill whose stated purpose is a curated skill directory, this creates an unnecessary trust boundary crossing: unreviewed local code can be imported and its output is injected into prompts, enabling prompt poisoning, data contamination, or execution of attacker-controlled code if the workspace path is compromised.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The test helper dynamically imports and executes `brain_enhance.py`, which runs arbitrary top-level Python code from the skill directory during what is presented as a validation step. In a skill-directory context, users or automation may run this verifier expecting passive checks, so a malicious or compromised optional module could trigger code execution, data access, or environment manipulation.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring claims the script only verifies configuration and metadata files, but the implementation also executes `brain_enhance.py` during import. That mismatch increases risk because reviewers and users may trust the script as a harmless verifier and run it in sensitive environments, enabling unexpected code execution from repository content.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README describes very broad recommendation behavior ('when user asks' followed by generic examples) without defining activation boundaries, user consent requirements, or constraints on when the skill should inject tool recommendations. In a meta-skill that teaches an agent what to install or use, this can cause unsolicited or over-broad steering toward specific tools, including the author's own offerings, which increases the risk of deceptive promotion and inappropriate tool selection.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The usage examples are broad enough that an agent may invoke this directory skill for generic recommendation questions such as 'What skills do you recommend?' or 'Find a tool for [task]' without sufficient task scoping. That can cause unintended activation, leading the skill to steer tool selection or installation decisions even when a more specific or safer workflow should be used.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The methodology explicitly says the reviewer installed top results with `--force` for flagged skills, but the document provides no warning about the risks of bypassing safety flags. In a skill directory context, this normalizes unsafe installation practices and could lead users to install unreviewed or suspicious packages despite package-manager safeguards.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The recommended bundle presents multiple install commands as a ready-to-run stack without advising users to inspect package contents, permissions, side effects, or compatibility first. Because these are agent skills that can influence behavior, memory, automation, and persistence, treating them as drop-in safe increases supply-chain and misconfiguration risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
test.py:56