Security audit

Cut Tool

Security checks across malware telemetry and agentic risk

Overview

This skill appears security-benign, but its helper script does not do the delimiter-based column extraction it advertises.

Install only if you understand this is currently a minimal local text truncation script, not a working cut-style field extractor. Do not rely on it for CSV, TSV, logs, or automation pipelines unless the implementation is fixed or you test its behavior on representative input first.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The implementation does not perform delimiter-based field extraction as advertised; it blindly truncates every input line to the first 5 characters. This can silently corrupt output, causing downstream tools or agents to act on incomplete or incorrect data, which is especially risky in automation pipelines that trust this skill's manifest and output semantics.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal