Back to skill

Security audit

Ka88-agent-shield

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate security-audit skill, but it asks for broad automatic self-audits of local history and sensitive directories without clear user control.

Review before installing. Use it only with clear target paths and require explicit confirmation before any history, environment, ~/.ssh, or ~/.hermes checks. Avoid the --install full-scan path unless you trust the PyPI dependency and local LM Studio endpoint, and configure any audit memory to redact sensitive details and expire when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises operational capabilities that imply network access and shell command execution, but it does not declare permissions or constraints for those behaviors. This weakens transparency and policy enforcement, making it easier for an agent to invoke network or shell actions unexpectedly during a security audit workflow.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The described purpose is security auditing, but the documented behavior expands into package installation, LM Studio API interaction, broad filesystem scanning, and deeper content inspection beyond the narrow description. This mismatch is dangerous because users and calling agents may grant trust based on the description while the skill performs materially broader actions affecting local environment, network exposure, and data access.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script can create a virtual environment and install cisco-ai-skill-scanner from PyPI at runtime, which expands its capabilities beyond passive auditing into software acquisition and execution. In a security-analysis skill, this is risky because it introduces supply-chain exposure, network egress, and execution of newly downloaded code based on a flag, potentially in environments where users expect only local validation.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The activation criteria are broad and include common situations like analyzing websites, unfamiliar content, or when a user asks to 'check security.' Overly permissive triggers can cause the skill to activate in many normal workflows, increasing the chance of unnecessary file access, command review, network interactions, or recursive scanning without sufficiently specific user intent.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The activation criteria are broad enough to trigger this analysis phase on most ordinary content-processing tasks, which can cause overblocking, excessive scanning, and unsafe reliance on brittle pattern matching. In an agent skill, overly broad security hooks can degrade availability and create opportunities for attackers to manipulate workflows through false positives or prompt-shaped content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script installs a package and later executes external tools with only minimal status output, which weakens informed consent for potentially risky actions such as network downloads and third-party code execution. In the context of a security skill, this mismatch is more dangerous because operators may trust the tool and run it in sensitive environments without realizing it can fetch and run additional software.

File System Enumeration

Medium
Category
Data Exfiltration
Content
env | grep -E '(PROXY|VPN|TOR|PROXYCHAINS)'

# Check unusual files
ls -la ~/.hermes/
ls -la ~/.ssh/
```
Confidence
83% confidence
Finding
ls -la ~/

File System Enumeration

Medium
Category
Data Exfiltration
Content
# Check unusual files
ls -la ~/.hermes/
ls -la ~/.ssh/
```

## Audit Report
Confidence
95% confidence
Finding
ls -la ~/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source, suspicious.obfuscated_code, suspicious.prompt_injection_instructions

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
config/ssrf-blocklist.yaml:152

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
scripts/quick-scan.sh:182

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
procedures/02-content-analysis.md:22

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
templates/finding.md:123

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
templates/report.md:237