Approval Engine

Security checks across malware telemetry and agentic risk

Overview

This approval workflow skill matches its purpose, but it needs review because one rule evaluator can execute generated JavaScript and the Discord/logging data flows are under-scoped.

Install only after reviewing the rule-evaluation path and data handling. Use trusted rule files and trusted approval/context inputs until eval() is removed, restrict Discord channels and bot permissions, avoid sending sensitive customer/order/complaint details unless approved, and set tight filesystem permissions and retention for local logs and JSON stores.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documentation clearly indicates access to environment variables and outbound network capabilities via Discord integration and example code using external fetch, yet it declares no permissions. This creates a transparency and governance gap: operators may enable the skill without understanding it can access secrets and send data off-system.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: This is a real code-injection risk. The function builds a JavaScript expression from configuration and context values, then executes it with eval(); if an attacker can influence triggerCondition, config.thresholds, or context values, they may break out of the intended expression and run arbitrary code in the Node.js process. In an approval engine, rules and context often come from external systems or admin-editable config, which makes this especially dangerous because it can compromise the workflow service, alter approvals, or execute system commands.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly promotes Discord-based approval and alert delivery and lists bot-token/channel environment variables, but it does not warn users that potentially sensitive workflow data will be transmitted to a third-party service. In an approval engine, messages may contain business data, exception details, identifiers, and operational context, so undocumented external transmission creates privacy, compliance, and data-leakage risk.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The README documents persistent storage of approvals, logs, and exception records in local JSON/log files but does not warn that workflow data will be written to disk. This can expose sensitive operational or business information to other local users, backups, or misconfigured file permissions, especially if operators assume the tool is stateless.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation promotes automated recovery actions such as retry, degrade, and timeout handling without warning that these actions can alter system behavior, availability, or business outcomes. In an approval/exception workflow, silent automation can amplify incidents, trigger repeated side effects, or bypass expected human control during failures.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation promotes automated recovery actions such as retry, degrade, and timeout handling without warning that these actions can alter system behavior, availability, or business outcomes. In an approval/exception workflow, silent automation can amplify incidents, trigger repeated side effects, or bypass expected human control during failures.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This code transmits exception messages and selected context fields to Discord, an external third-party service, without any visible sanitization, data-classification checks, or consent/disclosure controls in this component. If exception objects contain secrets, personal data, internal identifiers, or stack traces, the integration can leak sensitive operational information outside the primary system boundary.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: | `trigger.type` | 触发类型 | `threshold` / `status` / `event` | | `trigger.operator` | 比较运算符 | `>` `<` `>=` `<=` `==` `!=` `in` `not_in` | | `approval_type` | 审批类型 | `serial`（串行） / `parallel`（并行） | | `timeout_action` | 超时动作 | `escalate` / `auto_approve` / `auto_reject` | ### Discord 渠道配置
Confidence: 86% confidence
Finding: auto_approve

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal