Back to skill

Security audit

Brainblast Fleet

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed autonomous job for finding and submitting public security examples, but users should understand it can run on a schedule and execute an external engine checkout.

Install this only if you want a background-capable tool that clones and runs the Brainblast engine, searches public code, and submits proven findings to the public registry. Review the default remote repository and cron settings first, do not point BRAINBLAST_REPO at a working repository, and provide optional tokens only if you trust the registry/operator workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs use of shell commands and external tooling (`git`, `node`, `npm`, `python3`, cron scripts) but does not declare corresponding permissions. That creates a transparency and policy-enforcement gap: an operator or platform may treat the skill as lower risk than it is, while it can still modify local state, clone repositories, and submit data over the network.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The description frames the skill as a discovery/submission agent, but the body also installs scheduled jobs, performs repository clone/reset/clean operations, and can trigger optional reprove workflows. This mismatch is dangerous because users may consent to passive analysis while the skill actually establishes persistence and performs destructive local repo operations in a managed path.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases ('run the fleet', 'source VTIs', 'grow the corpus', 'scout SDKs') are broad and operational, without exclusions or confirmation requirements for autonomous or state-changing actions. In context, these triggers can lead to shell execution, network submissions, repository resets, and cron-related workflows, so ambiguous invocation increases the chance of unintended activation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.