Back to skill

Security audit

Password Generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears locally contained, but it should be reviewed because it claims to generate secure passwords and tokens while using non-cryptographic randomness.

Do not use this skill for real account passwords, API tokens, PINs, recovery codes, or other important secrets unless it is updated to use Python's secrets module or another CSPRNG. It does not appear to steal data or persist on the system, but its current outputs should not be treated as cryptographically secure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code claims to generate secure passwords and passphrases, but it uses Python's `random` module, which is not designed for cryptographic security and can be predictable. In a password-generation skill, this context makes the issue more dangerous because users will rely on the output for authentication secrets, tokens, or PINs under the assumption that they are strong and unpredictable.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata and code together represent that it generates secure passwords and tokens, but the implementation relies on a non-cryptographic PRNG. This can produce values that are more predictable than intended, undermining password, PIN, and token security and creating a mismatch between user trust and actual security guarantees.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/generate.py:95