Backup Tool

Security checks across malware telemetry and agentic risk

Overview

This backup skill is not overtly malicious, but it needs Review because it can modify local files and its safety/security claims do not match the implementation.

Install only if you understand this is a simple compressed tar backup helper, not an encrypted backup system. Do not restore archives you do not fully trust, avoid broad scheduled paths such as all of /home unless you review the cron entry, and do not rely on the advertised encryption, incremental, or exclude features until the implementation is fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises and documents shell execution via Python commands and cron usage, but no permissions are declared to reflect those capabilities. This creates a transparency and governance gap: users or orchestrators may invoke file-system and shell-affecting behavior without appropriate review or sandboxing expectations.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The tool advertises encryption support in its description and documentation, but the implementation only creates compressed tar archives and prints a checksum. Users may rely on the backup for confidentiality and store sensitive data insecurely, causing accidental exposure if the archive is copied, uploaded, or stolen.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module-level documentation explicitly claims encryption capability that does not exist in the code. In a backup tool handling important or sensitive files, this mismatch is security-relevant because it can mislead operators into believing confidential data is protected when it is only archived and compressed.

Vague Triggers

Medium

Confidence: 75% confidence
Finding: The activation language is broad enough to trigger on many ordinary backup, sync, or file-management requests, which increases the chance this skill is selected in contexts involving sensitive files or system paths. Over-broad routing is risky for a tool that can read, package, encrypt, restore, and potentially overwrite large amounts of data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation includes restore and cron-based scheduled backup workflows without warning about overwrite risks, restoration into sensitive destinations, credential/password handling, or the broad access implied by backing up paths like /home. Missing safety guidance around automated and restorative operations can lead to data loss, unintended exposure, or persistent high-privilege collection of user files.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The restore path uses tar.extractall() on an untrusted archive without validating member paths, symlinks, or hardlinks. A crafted tar can perform path traversal and write outside the intended destination, potentially overwriting arbitrary files or planting malicious content, making this more dangerous in a backup/restore skill that is expected to process external archives.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal