Back to skill

Security audit

Unexpand Tool

Security checks across malware telemetry and agentic risk

Overview

This text-formatting skill appears to treat piped input as a filesystem path, which can unexpectedly read local files instead of only transforming supplied text.

Install only if you are comfortable auditing or fixing the stdin behavior first. Prefer a version that treats stdin as text content, accepts file paths only through explicit arguments, and documents exactly when local files are read.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior promises a straightforward text transformation, but the analyzed behavior indicates it may read arbitrary file paths and mishandle stdin by treating input text as a filename. That mismatch is dangerous because callers may trust it in automated workflows, leading to unintended file access, failed processing, or modification of the wrong target while believing it is operating only on provided text content.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script uses `sys.stdin.read()` as a filename when no command-line argument is provided, then passes that value directly to `open()`. This allows arbitrary file reads based on stdin content, which is unrelated to the advertised purpose of reformatting text and can expose sensitive local files if the tool is invoked in a pipeline or by another agent.

Missing User Warnings

Low
Confidence
96% confidence
Finding
The code opens a path derived from standard input without any notice, confirmation, or restriction, creating surprising behavior for users and downstream tools. In the context of a text-formatting skill, this is more dangerous because callers reasonably expect stdin to be treated as file content, not as a filesystem path, which can lead to unintended disclosure of local files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.