Back to skill

Security audit

SwanLab Reader

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed SwanLab reader that uses a SwanLab API key only for SwanLab data access, with the main caution being local plaintext key storage if the user chooses set-key.

Install only if you are comfortable giving the skill access to SwanLab data available to your API key. Prefer environment variables for temporary use, or restrict permissions on ~/.config/swanlab/key if you use set-key. Review the swanlab and numpy dependency sources in sensitive environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill metadata declares no permissions, but the documented behavior clearly uses environment variables, writes an API key to a local file, and performs authenticated network access. This under-declaration is dangerous because it hides sensitive capabilities from reviewers and users, reducing informed consent and making secret handling and outbound data access less visible.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill description says it reads SwanLab experiment data from a user-provided run URL, but the documented commands also enumerate project runs, compare multiple runs, read credentials from env/files, save API keys locally, and call authenticated APIs directly. This mismatch is risky because it broadens the operational scope beyond user expectations, including credential persistence and access to private project data.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is described as a reader for SwanLab run URLs, but it also includes credential persistence functionality that writes API keys to local storage. This expands the skill's privilege and data-handling scope beyond the stated purpose, increasing the chance of unintended secret exposure or misuse in environments where users expect read-only behavior.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code reads API keys from environment variables and a local config file even though the skill's stated purpose is only to read experiment data from a URL. In an agent setting, undeclared secret access is security-relevant because it broadens the skill's trust boundary and may cause users to invoke it without realizing it will consume ambient credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API key is stored in plaintext under ~/.config/swanlab/key with no visible permission hardening or warning to the user. Plaintext secret storage can expose credentials to other local users, backup systems, logs, or unintended filesystem access, especially on shared or managed machines.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.