Back to skill

Security audit

Project Management System

Security checks across malware telemetry and agentic risk

Overview

This is a coherent project-management skill, but it gives agents broad autonomous project-maintenance behavior and includes an optional restore tool that can erase uncommitted repository work.

Install only if you want an agent to manage project state files, dispatch/review work, and use heartbeat or timer-style continuation. Scope it to dedicated project directories, review task specs before execution, and do not allow `tools/system-check.py --restore` unless a human has inspected `git status` and accepts losing uncommitted and untracked work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill advertises only documentation-oriented project management behavior, yet the analysis detected file read, file write, and shell capabilities without any declared permissions. Undeclared powerful capabilities reduce transparency and can enable unexpected filesystem or command execution behavior, making it harder for operators to assess risk before installation or use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a strong description-behavior mismatch: a project-management skill should not silently perform repository inspection, destructive git cleanup, checkout, or arbitrary file output unrelated to the stated workflow purpose. Such hidden behavior can lead to data loss, unauthorized repository modification, and user deception because operators may invoke the skill expecting planning assistance rather than codebase-changing actions.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The manual states the dispatcher must 'only dispatch, do not execute,' but elsewhere assigns execution-like duties such as running code and directly modifying project/system records. This contradiction weakens role boundaries and can lead a high-privilege coordinator agent to perform unsafe actions without the controls intended for executor roles.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This section authorizes the dispatcher to update system-level governance artifacts like `system/data_structure.md`, which exceeds normal coordination and crosses into privileged administrative change. Even if one sentence requires approval for `system/` changes, the broader workflow still normalizes direct coordinator modification of governance state, creating policy-bypass and integrity risks.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The review phase tells the dispatcher to 'run first' for code outputs, which is direct execution by a role that is supposed to coordinate rather than execute. Allowing a coordinator to execute untrusted project code increases the blast radius of malicious or unsafe task outputs and undermines separation of duties.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This section explicitly encourages the agent to 'proactively discover' and use platform capabilities beyond the documented mechanisms. In an agent skill, that materially widens operational scope and can authorize unsafe use of unexpected tools, integrations, or privileged runtime features without policy gating or allowlisting. In this project-management context, the instruction is more dangerous because it is framed as a general runtime habit that applies across roles and sessions, increasing the chance of persistent overreach.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script exposes destructive repository mutation features, including mass restore and deletion of untracked files, under the framing of an integrity check tool. In an agent skill context, this can be misused to erase user work or silently rewrite project state, and that capability is broader than necessary for merely checking system integrity.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation labels any uncommitted change as abnormal and recommends restore, while the implementation will also delete intentional new files via git clean -fd and revert edits wholesale. That misleading framing increases the chance that an operator or agent will destroy legitimate work under the mistaken belief that all changes are suspicious.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The activation criteria are very broad and can trigger on common project-related language such as planning or collaboration requests without tight boundaries. In the presence of hidden write/shell/repository capabilities, over-broad activation increases the chance the skill is invoked in contexts where the user did not intend to grant such powerful operational behavior.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The recovery flow is triggered on 'any wake' and 'every heartbeat' with no explicit scoping, project ownership check, or authorization boundary. That can cause the agent to scan broadly and act automatically on all visible active projects, creating opportunities for unintended cross-project access, excessive autonomous actions, or repeated processing loops. In a multi-project management system, broad autonomous activation increases the blast radius.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The instruction to discover and use unspecified platform capabilities is ambiguous and overly broad, effectively delegating security decisions to the agent at runtime. That undermines least privilege and makes abuse or accidental misuse of hidden features, background jobs, webhooks, or event listeners more likely. Because the file presents this as meta-cognition and good operational behavior, it normalizes unsafe expansion of authority.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The file recommends automatic skill injection on broad triggers such as receiving any task spec path or being asked to initiate, break down, or review work. In an agent environment, overly broad activation can cause the skill to be invoked in unintended contexts, increasing prompt-surface area and making it easier for unrelated conversations or adversarial inputs to pull in project-management instructions unexpectedly. Because this skill is designed to steer agent behavior globally, unintended invocation is more dangerous than in a narrow utility skill.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The template explicitly states that it is an agent work-instruction file that can be executed immediately with no extra communication needed. That creates an overly broad activation condition: any copied task file may be treated as authoritative operational input without a defined trust boundary, approval gate, or trigger criteria, increasing the risk of prompt injection or unsafe autonomous action.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.