Back to skill

Security audit

AI Agent Skill Scanner

Security checks across malware telemetry and agentic risk

Overview

The scanner’s main command is a coherent local file scanner, but the package also includes an undocumented helper that can read from an external local “company-brain” resource and inject that context into vetting prompts.

Review this package before installing. The main scanner appears read-only and purpose-aligned, but the undocumented brain_enhance.py helper should be removed or clearly explained before trusting it in sensitive environments. Treat results as first-pass pattern matching, especially because some directories such as .env, .git, virtualenvs, and build output are skipped.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill declares no permissions in SKILL.md, yet the associated behavior reportedly includes file reading and shell capabilities. Undeclared capabilities reduce transparency and can mislead users about the skill's trust boundary, especially for a security-themed skill that users may trust more readily.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared purpose is a local skill scanner, but the reported behavior extends to accessing an external local resource, invoking a separate Brain service, and augmenting prompts with externally sourced policy context. This mismatch is dangerous because it expands data access beyond the target skill and creates a hidden prompt/data flow that could exfiltrate sensitive information or manipulate scan outcomes.

Credential Access

High
Category
Privilege Escalation
Content
from typing import Dict, List

# Directories and file types to skip (reduces false positives)
SKIP_DIRS = {"node_modules", "__pycache__", ".git", ".venv", ".env", "venv", "dist", "build", ".next"}
SKIP_EXT = {".png", ".jpg", ".jpeg", ".gif", ".ico", ".svg", ".woff", ".woff2", ".ttf", ".eot",
            ".pyc", ".pyo", ".so", ".o", ".a", ".class", ".jar",
            ".mp3", ".mp4", ".avi", ".mov", ".wav",
Confidence
95% confidence
Finding
.env"

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.