Security audit

Rating

Security checks across malware telemetry and agentic risk

Overview

This is a local command-line utility that stores user-entered activity on disk, with no evidence of network access, credential theft, destructive behavior, or hidden agent control.

Install only if you are comfortable with inputs to this tool being saved locally in `~/.local/share/rating/` and later searchable or exportable. Avoid entering secrets, tokens, private paths, or sensitive personal content, and periodically review or delete that directory if local privacy matters.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 87% confidence
Finding: The skill is presented as a general-purpose rating tool, but the documentation also describes persistent storage, activity logging, search across stored entries, and export of accumulated data. That is a meaningful expansion of behavior affecting privacy and data handling, and users are not clearly warned up front that their inputs and command history will be retained locally and made exportable.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill is presented as a generic 'rating' utility, but the implementation exposes a much broader activity-logging and data-management surface, including multiple arbitrary categories and persistent history storage. This mismatch is dangerous because users and higher-level agents may invoke it with a narrow trust model while the script silently accumulates and retains operational data beyond the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Cross-log search and export materially increase the sensitivity of the stored data by making collection, aggregation, and exfiltration easier, yet these capabilities are not justified by the declared purpose of a simple rating tool. In an agent setting, this creates a broader-than-expected data access channel that can expose previously entered content across commands and sessions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The markdown explicitly states that data is stored locally and that each command logs activity with timestamps, but it does not provide an explicit warning or informed-consent style notice. This is dangerous because users may enter sensitive ratings, notes, or reviewed content without realizing it will be retained in a traceable history and potentially exported later.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script persistently writes raw user-provided inputs into log files under the user's home directory without any up-front notice, consent, or redaction. This is risky because users may supply secrets, file paths, tokens, or sensitive task content to what appears to be a normal utility command, and that data then remains available for later search and export.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The export routine aggregates historical log contents into new files in JSON, CSV, or text format without warning that prior activity data is being duplicated. This increases exposure by creating additional copies of potentially sensitive history that may be easier to share, upload, index, or mishandle than the original logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal