Back to skill

Security audit

Company Brain Core OS

Security checks across malware telemetry and agentic risk

Overview

This looks like a plausible local knowledge-base skill, but installation runs unpinned external code that is not fully represented in the reviewed package.

Review install.sh and the upstream GitHub repository before installing. Only proceed if you are comfortable letting the installer execute code from bun.sh, GitHub, and pip at user level; prefer a pinned release or manual dependency setup before using it with private company facts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The skill claims to be a local deterministic knowledge base, but the observed behavior includes broader software installation and bootstrap activity, including fetching and installing external components and promoting additional tooling. This mismatch is dangerous because users may trust the declared purpose and run setup steps that introduce unreviewed code execution, dependency-chain risk, and expanded attack surface beyond a simple local knowledge base.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The installer downloads and immediately executes a remote script from bun.sh, introducing network-dependent behavior and arbitrary code execution that is broader than the stated purpose of a local, deterministic knowledge base. This is dangerous because compromise of the remote host, TLS interception, or an upstream supply-chain issue would result in code execution on the user's machine during installation.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
Cloning code directly from GitHub makes the install process depend on external network state and unpinned upstream content, which conflicts with the product's 'local, deterministic' framing. While cloning a repository is common, it still expands trust to a remote source and can install different code over time if the branch changes or the repository is compromised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The command pipes data fetched from the internet directly into bash, which is a classic arbitrary code execution pattern. In the context of an installer for a knowledge-base skill, this capability is not narrowly justified and significantly increases risk because any compromise of the fetched script gives an attacker immediate execution during setup.

Missing User Warnings

High
Confidence
98% confidence
Finding
The installer executes a remote shell script without warning the user that code from an external domain will be run immediately. Lack of disclosure and confirmation increases the chance of silent compromise and violates safe-install expectations for a tool advertised as local and deterministic.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script clones code from GitHub and then runs pip installation of dependencies, both of which can introduce untrusted code, but it does not clearly disclose this behavior or obtain consent. Installing dependencies can execute arbitrary setup/build hooks, so this is more than simple file download and creates meaningful supply-chain risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.