Dazhuang Skill Creator

Security checks across malware telemetry and agentic risk

Overview

This is mostly a coherent skill-building toolkit, but one bundled review server can silently terminate unrelated local processes on a port.

Review before installing. Use the skill only when you want a local tool that can create files, run Python scripts, call the Claude CLI, and store evaluation outputs. Prefer static report mode or choose a known-free port for the review viewer, because the default server startup can terminate whatever is already bound to its port. Avoid running optimization/eval flows on skills or prompts containing secrets unless you are comfortable sending that content through your Claude CLI session and saving local logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill instructs the agent to read and write files and execute shell commands such as running Python scripts, but it declares no permissions or safety boundaries. That mismatch can cause an orchestrator or reviewer to underestimate the skill's capabilities, increasing the risk of unintended filesystem modification, command execution, or environment access when the skill is triggered.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script unconditionally finds and terminates any process listening on the requested port before starting its own server. That exceeds the stated purpose of a review viewer and can kill unrelated local services, causing denial of service, loss of unsaved state, or disruption of developer workflows; in a skill-creation context, this is more dangerous because users may run it in active development environments with many local services.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The top-level description presents the tool as a lightweight viewer, but the implementation also kills external processes on the selected port. This mismatch is security-relevant because it hides a destructive side effect from users, reducing informed consent and increasing the chance of accidental service disruption.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The page loads third-party resources from Google Fonts and SheetJS CDN even though it is a local evaluation/review tool handling prompts, outputs, benchmark data, and reviewer feedback. This expands the trust boundary and can leak metadata or enable supply-chain compromise if the remote assets are tampered with or unavailable.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation description is very broad and can match many ordinary requests about creating, modifying, evaluating, or packaging skills. Over-broad triggering is dangerous because it can invoke a high-capability skill in contexts where the user did not intend file operations or shell-driven restructuring, expanding the attack surface and making unsafe tool use more likely.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The script terminates whatever is bound to the requested port without warning, confirmation, ownership checks, or validation that it belongs to a previous instance of this tool. This can disrupt unrelated applications and local infrastructure unexpectedly, which is especially risky in an automation/skill-authoring environment where scripts may be run repeatedly and non-interactively.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The page silently autosaves review text to /api/feedback as the user types, but the UI only says feedback is being saved and does not clearly disclose that reviewer comments are transmitted to a server endpoint. In a review tool, this may expose sensitive evaluation content, prompts, or internal notes without informed user consent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: On final submission, the code uploads the complete review set for all runs to /api/feedback, including blank and filled entries, without a clear warning that all collected review data will be transmitted. This can cause unintended disclosure of sensitive evaluation artifacts and reviewer judgments, especially in internal benchmarking workflows.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends the full skill content, evaluation failures, history, and possibly test data to an external model process without an explicit consent gate or redaction step. If skills or eval data contain secrets, proprietary workflows, or sensitive prompts, this creates a clear confidentiality risk through unintended external disclosure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The transcript logging stores full prompts, model responses, and parsed descriptions to disk, which can include sensitive skill content, evaluation examples, and historical attempts. Persistent local logs widen exposure by making sensitive data recoverable later by other users, backup systems, or log collectors.

Missing User Warnings

Low

Confidence: 96% confidence
Finding: The report discloses absolute local filesystem paths containing a likely username and workstation directory structure. While this is not direct code execution, it leaks host-specific environmental details that can aid targeted social engineering, reveal internal project naming, and unnecessarily expose sensitive local context when the report is shared externally.

Natural-Language Policy Violations

Low

Confidence: 94% confidence
Finding: The JSON includes an absolute local filesystem path ('/Users/jammy/Desktop/.../blind_map.json'), which leaks developer environment details such as username, directory structure, and host-specific layout. While not directly exploitable on its own, this information disclosure can aid reconnaissance, reduce portability, and expose internal project naming or storage conventions if the artifact is shared externally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal