Back to skill

Security audit

FMEA分析技能

Security checks across malware telemetry and agentic risk

Overview

This FMEA skill is a local analysis helper that creates project files in a disclosed output folder and shows no evidence of hidden network, credential, or destructive behavior.

Install only if you are comfortable with FMEA project details being saved in a local fmea_output folder in the working directory. Use a private workspace for confidential engineering or product-risk data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises executable script workflows and writes output to a local directory, but it does not declare permissions for file read/write. This creates a transparency and policy-enforcement gap: an agent or reviewer may underestimate the skill's ability to access or modify local files, increasing the chance of unintended file operations.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger condition is broad enough to match general requests about risk assessment or improvement tracking, which can cause the skill to activate outside narrowly intended FMEA use cases. Because the skill includes script execution and file output behaviors, overbroad invocation increases the chance of unnecessary file creation or misuse in unrelated contexts.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script automatically creates a local output directory and persists project data to disk without an explicit user-facing warning or consent flow. In an FMEA context, stored content can include sensitive engineering details, failure modes, causes, and mitigation plans, so silent persistence increases the risk of unintended data exposure on shared systems or in insecure working directories.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.