Back to skill

Security audit

LYGO Protocol Stack Operator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local operator for the LYGO stack, with helper scripts that match its stated purpose and no evidence of hidden exfiltration or destructive behavior.

Install only if you intend to work with the LYGO stack. Run the healthcheck against a checkout you trust, preferably the documented upstream repository, and avoid pointing LYGO_STACK_ROOT at arbitrary or sensitive directories. Keep external publish, upload, social, or companion-skill actions user-approved as the skill already instructs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not cmd[1] or not Path(cmd[1]).is_file():
            print(f"  SKIP {name} (script missing)")
            continue
        r = subprocess.run(cmd, cwd=root, capture_output=True, text=True, timeout=120)
        status = "OK" if r.returncode == 0 else f"FAIL({r.returncode})"
        print(f"  {name}: {status}")
        if r.returncode == 0:
Confidence
88% confidence
Finding
r = subprocess.run(cmd, cwd=root, capture_output=True, text=True, timeout=120)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and instructs use of shell commands, local file access, and environment-variable-based configuration, but it does not declare corresponding permissions. That mismatch is a real security issue because an agent or reviewer may assume the skill is lower-privilege than it actually is, leading to unintended command execution, filesystem access, or use of sensitive environment data when the workflow is followed.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A script labeled as a local health check goes beyond inspection and actively runs external demo programs from a discovered stack checkout. In this skill context, that makes the feature more dangerous because users may treat a healthcheck as low-risk, while it actually executes potentially attacker-supplied code from a path chosen via environment variable or local filesystem placement.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.