Back to skill

Security audit

Where are you from

Security checks across malware telemetry and agentic risk

Overview

This inventory skill mostly matches its stated purpose, but it needs Review because it can change Git state, commit broad workspace contents, and push local skill metadata to GitHub while some safety documentation understates those behaviors.

Install only if you want a tool that reads configured skill directories and creates Git-backed manifests. Use a private, dedicated inventory repository, run it from a directory without unrelated files, review generated manifests and git status before committing, and confirm push only after checking that paths, sources, and skill metadata are safe to publish.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This is a real security-relevant behavior mismatch: the skill is described as an asset-tracking/sync utility, but this module initializes repositories, adds remotes, writes a .gitignore, and can later commit and push repository contents. In an enterprise context, mutating a repository and syncing data to GitHub can expose internal code, manifests, or other sensitive files if invoked on the wrong directory or with an untrusted remote URL.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation explicitly says the utility is 'read-only' and does not transmit credentials or data, but the implementation writes .gitignore, stages files, commits changes, and pushes to a remote repository. That discrepancy is dangerous because operators or higher-level agents may trust the description and invoke the skill in environments where write and exfiltration-capable behavior is unacceptable.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The recursive scanner traverses arbitrary caller-supplied roots, follows real paths for discovered skills, and intentionally does not prune dot-directories except those explicitly excluded. In an enterprise agent context, this can enable overbroad filesystem enumeration of sensitive locations such as home directories or hidden config trees, increasing the attack surface for unintended data discovery and later misuse by other components.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation promotes a `sync --push` workflow that uploads a generated skills inventory to GitHub and frames it as 'securely sync to the cloud' without clearly warning that inventories may contain sensitive metadata, internal repository paths, private skill names, or incompletely scrubbed secrets. Because this is an asset-management skill explicitly dealing with origins, paths, and security-relevant metadata, users may be encouraged to disclose operational details to a remote repository under a false sense of safety.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly instructs users to run a sync command with `--push`, which implies transmitting generated manifests to a GitHub repository, but it does not warn that repository metadata and potentially sensitive local skill inventory details may be published. In the context of an asset inventory manager, this omission is security-relevant because users may expose internal tooling, sources, paths, or other operational metadata without understanding the disclosure risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Intent-based matching without strict boundaries makes it easier for ordinary conversation to trigger workflows that inspect local files or propose state-changing operations. In this skill, broad matching is more dangerous because some workflows lead to Git commits, config creation, and potential remote sync.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Several listed triggers such as 'Where are you from?' and other everyday phrases are highly ambiguous and could be said in unrelated contexts. Because this skill can inspect the environment and initiate follow-on sync actions, accidental activation creates a real risk of unintended data exposure or repository changes.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Push-related triggers like generic backup or save requests can collide with normal user language and map directly to `sync --push`, which uploads inventory data to a remote GitHub repository. That creates a meaningful exfiltration risk, especially since manifests may include paths, descriptions, versions, and other sensitive metadata about locally installed skills.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The overview emphasizes auditing and secure backup but does not clearly warn that normal workflows can create files, initialize repositories, and commit changes. Users may therefore invoke the skill expecting a read-only inspection, when in fact it can make persistent modifications to the local workspace.

Missing User Warnings

High
Confidence
97% confidence
Finding
The push workflow instructs the agent to run `inventory sync --push` immediately, with no explicit confirmation before uploading inventory data to GitHub. Since the manifest can contain sensitive metadata about installed skills and local paths, automatic remote transmission materially increases the risk of unintended disclosure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The bootstrap guidance recommends a first-time setup flow without prominently disclosing that it may initialize Git tracking and generate persistent configuration files. This can surprise users and alter their workspace state in ways they did not intend when they believed they were only enabling inventory inspection.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The tutorial advertises very broad natural-language triggers like "Analyze my skills" and "Sync my inventory to GitHub," which overlap with plausible ordinary user requests and can cause the skill to activate when the user did not explicitly intend to invoke it. In this skill's context, unintended activation is more dangerous because the described actions include scanning local environments and pushing inventory data to GitHub, creating a real risk of privacy-sensitive metadata disclosure or unintended repository updates.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The bootstrap/init flow calls gitManager.init(process.cwd()) and can modify the current working directory's Git state without an explicit confirmation at the call site. In a sensitive or unrelated repository, this could unexpectedly initialize or alter version-control configuration and prepare local data for later commit/push operations.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The bootstrap path writes a persistent configuration file under the user's home directory without an operation-specific warning immediately before the write. While common for CLI tools, undisclosed persistence can surprise users and create unwanted local state, especially in security-sensitive environments.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The init path also persists configuration in the user's home directory without a direct confirmation at the write point. This is a minor but real transparency/persistence issue because it creates durable state outside the current workspace.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The commit function performs 'git add .' and commits all changes in the repository without any explicit confirmation, file scoping, or review step. Even without shell injection, this can capture unrelated modifications, generated files, or sensitive material that was not meant to be versioned, especially in an automation context tied to GitHub syncing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The Markdown manifest includes source, path, and descriptive metadata for every skill and writes it to disk without sanitization or minimization, which can expose internal filesystem structure, private repository URLs, or other operational details if the report is shared, committed, or stored in an accessible location. In an enterprise asset-management context, inventory artifacts are likely to be redistributed, making this leakage more consequential than in a purely local debugging tool.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
utils/gitManager.js:10