Back to skill

Security audit

LLM Supervisor

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to handle LLM rate limits, but it can reroute agents between cloud and local models with unclear consent and persistence behavior.

Review before installing if you work with sensitive code, strict provider policies, or cost-controlled LLM profiles. Confirm whether automatic local fallback is acceptable, define a clear confirmationPhrase such as CONFIRM LOCAL CODE, and verify that forcing anthropic:default in cloud mode will not override your intended provider setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The hook automatically changes the active LLM mode from cloud to local immediately after detecting a rate-limit-like error, without obtaining user confirmation first. This creates a trust-boundary and behavior-integrity issue because the skill description says it only offers a local switch with confirmation for code tasks, yet the code performs the switch unilaterally, which could cause sensitive prompts or code-related workflows to be routed to a different model than the user expected.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The package description states the skill 'automatically switches' between cloud and local LLMs, which conflicts with the stated requirement to offer a local-model switch only with user confirmation for code tasks. In an LLM supervisor skill, this ambiguity is security-relevant because silent fallback can change trust boundaries, privacy characteristics, and output quality without explicit user approval.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.