Security audit

scellrun

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate-looking scellrun analysis skill, but it asks the agent to run commands on remote research systems and potentially use AI helpers on sensitive biomedical data without a strong approval gate.

Install only if you are comfortable with an agent running scellrun commands on the machine where your data lives. Before use, explicitly confirm the remote host, account, dataset path, working directory, package version, files to be written, whether tmux or a scheduler may be used, and whether AI calls are allowed. Use least-privilege access and prefer --no-ai for confidential or regulated datasets unless third-party processing is approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill metadata advertises 'multi-omics' support while the body later admits multimodal inputs are effectively ignored outside the gene-expression layer. That mismatch can cause an agent to route ATAC/ADT/CITE-seq/spatial datasets into an unsuitable pipeline, producing misleading results while appearing successful.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The top-level description is overly broad and can trigger the skill for many ordinary requests involving common file types, even when scellrun is not appropriate. Over-broad activation increases the chance an agent will choose this skill instead of a safer or more suitable workflow, leading to incorrect analyses or unnecessary execution on user data.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The body instructs the agent to reach for scellrun whenever certain file types appear, which is an ambiguous and over-permissive routing rule. Because those formats are common across many bioinformatics contexts, this can cause inappropriate tool invocation and downstream actions on the wrong data or workflow stage.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill tells the agent to SSH to wherever data lives, set up environments, run commands, and write artifacts, but does not require an upfront warning or explicit confirmation before remote access and file-modifying operations. That creates a real risk of unauthorized remote actions, environment changes, data processing, and artifact generation on sensitive research or clinical systems.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal