Back to skill

Security audit

Speculative Exec

Security checks across malware telemetry and agentic risk

Overview

The skill appears to gather project context, but its instructions are broad enough that it may read more local files than users expect.

Review this skill before installing if you work in repositories with secrets, private customer data, or sensitive config files. It does not look malicious from the supplied evidence, but you should only use it where broad local file reading is acceptable and keep secret files out of scope.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and exemplifies file/data preloading behavior but declares no permissions, creating a mismatch between documented capabilities and the security model. In an agent environment, undeclared file-read behavior can bypass user expectations and platform policy checks, especially when combined with speculative loading of resources the user did not explicitly request.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation guidance is extremely broad ('analyze', 'read', 'search', 'write', etc.), so the skill may activate in many unrelated contexts and begin speculative resource loading without sufficiently specific intent. That increases the chance of unintended file reads, unnecessary data exposure, and surprising background actions based only on vague user wording.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The built-in workflow table maps generic keywords directly to actions like reading files, docs, tests, or config, without scope limits or authorization checks. In a speculative-execution skill, these broad mappings are more dangerous because they can systematically trigger background access to sensitive project artifacts before the user explicitly asks for them.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.