Knowledge Engineering

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent RAG document-slicing tool, but it can automatically install packages, download models, and rewrite or overwrite many user files with limited safety controls.

Install only if you are comfortable with a document-processing skill that can write and rewrite files in the paths you provide. Run it in a dedicated workspace, avoid pointing it at important directories, review --fix and --renumber changes before applying them, and preinstall dependencies manually if you do not want the skill to run pip or download models automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (22)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: import subprocess try: pip_cmd = "pip" if _PINFO.is_windows else "pip3" subprocess.run([pip_cmd, "install", "sentence-transformers"], capture_output=True, check=True, timeout=120) # 安装成功 → 重新导入 from sentence_transformers import SentenceTransformer
Confidence: 96% confidence
Finding: subprocess.run([pip_cmd, "install", "sentence-transformers"], capture_output=True, check=True, timeout=120)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if info.is_windows: kwargs.setdefault("shell", True) kwargs.setdefault("encoding", "utf-8") return subprocess.run(cmd, **kwargs) # ── 模块自测 ──
Confidence: 92% confidence
Finding: return subprocess.run(cmd, **kwargs)

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The reference expands the skill from RAG slicing into adjacent capabilities like document conversion and multimodal extraction that are not clearly reflected in the declared skill scope. This creates scope creep risk: users may trigger processing of additional file types or transformations they did not explicitly expect, increasing the chance of unintended data handling and tool use.

Intent-Code Divergence

Medium

Confidence: 81% confidence
Finding: The document claims earlier direct PDF/multimodal handling behavior, then later states such inputs are unsupported or require preprocessing. Contradictory boundary documentation is dangerous because operators may rely on the broader claim and feed unsupported data into the workflow, causing unsafe fallback behavior, silent failures, or accidental processing through other tools.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The documentation permits automatic dependency installation or model acquisition for retrieval evaluation, which introduces external code and artifacts beyond the core slicing task. Even if not overtly malicious, this widens the trust boundary and can lead to unexpected network access, package supply-chain exposure, and environment mutation during routine use.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Stating that the first run automatically downloads a model and requires network access introduces undeclared external communication in a skill primarily described as a local slicing tool. This can expose sensitive environment metadata, violate offline expectations, and surprise users in restricted or regulated environments.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: `--fix` mode does more than its documented 'generate audit report' behavior: it attempts fuzzy matching and rewrites source markdown files to repair cross-references. In an auditing/final-validation tool, undocumented mutation of the corpus can cause integrity loss, incorrect link rewrites, and surprising side effects during CI or operator use, especially because the replacement logic includes broad string substitution as a fallback.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The CLI help text says `--fix` only generates an audit report, but the implementation also modifies slice files by auto-repairing cross-references. This mismatch is security-relevant because users may invoke the flag expecting a harmless reporting action and instead trigger content changes, which is dangerous in production knowledge bases and automated pipelines.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The documentation states that --fix generates a report, but the implementation also rewrites source markdown files by modifying embedding_hint values. This mismatch is security-relevant because users may run the flag expecting read-only evaluation and instead trigger silent mutation of their knowledge-base content.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Auto-installing sentence-transformers extends the script from local evaluation into package management and likely network download, increasing the attack surface and operational risk. In this skill context, that is more dangerous because the advertised purpose is offline-style knowledge-base evaluation, so operators may not anticipate code fetching and execution from external sources.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The CLI help text claims --fix only generates a report, but the code path also performs automatic content repairs on slice files. Hidden write behavior in a flag advertised as reporting can lead to unintended data corruption, pipeline side effects, and unsafe use in automated environments.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: A generic cross-platform command execution wrapper is not narrowly tied to platform detection and provides a convenient primitive for later arbitrary process execution. Combined with the Windows shell=True default, it materially raises the risk that other parts of the skill will invoke commands unsafely, making the skill context more dangerous because the stated purpose does not require a broad executor.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The quickstart explicitly tells users they can direct output to an arbitrary filesystem path and implies the agent will write there automatically, but it provides no warning about overwriting existing files, path validation, or safe output boundaries. In an agent context that performs file operations, this can lead to unintended modification of user data or writes into sensitive locations if the path is mistaken, maliciously influenced, or resolved unsafely.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough to overlap with ordinary user requests about viewing plans or preparing documents, increasing the chance that the skill is invoked when the user did not intend file processing. Over-broad activation is dangerous because this skill can write files, run validation, and potentially alter outputs as part of its normal workflow.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation states that `validate_slice.py --fix` writes SELF_CHECK data back into files immediately after generation, but it does not prominently warn users that files will be modified. Silent or poorly disclosed file mutation is risky because it can alter generated artifacts, pollute repositories, or break downstream consumers expecting clean content.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Automatic dead-link repair via fuzzy matching can rewrite references heuristically without clear user warning or review. Heuristic content repair is dangerous because it may silently introduce incorrect links, corrupt knowledge relationships, or mask underlying generation defects.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The boundary section explicitly says existing output files with the same name will be overwritten, but there is no strong caution, safeguard, or confirmation step. This is a direct integrity risk: a mistaken output path or filename collision can destroy prior knowledge-base content or other user files.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The note about automatic model download requiring network access is not accompanied by a prominent warning or explicit consent flow. Unexpected outbound network activity can violate user expectations, policy constraints, and data-handling requirements, especially in enterprise or air-gapped settings.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script installs a package from the network without explicit user confirmation, which can execute remote code during installation and alter the runtime environment unpredictably. In agent or CI contexts, this can violate supply-chain controls and create a path for malicious package or dependency compromise.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The --fix flow rewrites markdown source files' embedding_hint fields without prominently warning the user in the CLI interface, making a destructive operation look like a harmless evaluation helper. This is dangerous because it can silently modify source knowledge assets, interfere with review/audit processes, and propagate unintended content changes.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The script writes files to user-supplied locations and can create many output artifacts without any path safety checks, confinement, or confirmation step. In an agent or automation context, a manipulated output_dir can cause unintended filesystem modification, overwriting project files or planting content in sensitive locations accessible to the running user.

Missing User Warnings

High

Confidence: 93% confidence
Finding: In renumber mode, the script rewrites file contents, creates new paths, renames originals to .bak, and deletes the backup without transactional safeguards or explicit destructive confirmation. If pointed at the wrong tree or attacker-influenced content, this can irreversibly alter or destroy large numbers of files, which is especially dangerous for an agent skill that may run unattended.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal