Back to skill

Security audit

Arkcloud Ipfs

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a disclosed ARKCloud file-management helper with expected upload and delete abilities, but users should treat deletion and file uploads carefully.

Install only if you intend to let an agent manage ARKCloud uploads. Confirm the exact file, destination, and upload_id before upload or delete actions, and keep any ARKCloud credentials in local environment variables rather than chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill clearly depends on sensitive capabilities including environment-variable access, file-path handling, and outbound network calls, yet no explicit permissions are declared. That mismatch weakens reviewability and consent, making it easier for a user or platform to underestimate what the skill can access and do.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation text is very broad and includes generic phrases like uploading files, getting links, listing resources, and checking health, which could cause the skill to trigger on ordinary user requests outside the user's intended scope. Overbroad invocation increases the chance of unexpected network actions involving files and tokens.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
python <base_dir>/scripts/arkcloud_delete.py <upload_id>
```

It calls `DELETE /api/client/uploads/{upload_id}`. Treat this as destructive: confirm with the user before deleting unless they explicitly asked for deletion.

## Error Handling
Confidence
84% confidence
Finding
DELETE /api/client/uploads/{upload_id}`.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.