Back to skill

Security audit

One Eval

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate LLM evaluation skill, with expected network and local file use; the main cautions are API data sharing and trusted-only custom metric code.

Install only in a project environment you control. Use trusted model endpoints for private benchmarks, avoid putting sensitive data into third-party API evaluations without approval, keep evalspec files out of source control, and only place custom metric Python files or external benchmark repos in this workflow if you trust their code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to use environment variables, read and write local files, and make network requests, but it does not declare permissions or clearly constrain those capabilities. This creates a mismatch between the skill's documented behavior and its effective power, increasing the chance of unintended credential access, local file modification, or outbound requests without adequate review.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code prepends custom_metrics/ to sys.path and imports every .py file in that directory, which executes top-level Python code on import. Because these modules are treated as user-extensible input rather than trusted application code, this creates an arbitrary code execution path inside the skill runtime that goes beyond merely evaluating models or computing metrics. In this skill context, extensibility is expected, but the evaluation environment may handle API keys, local files, datasets, and reports, which increases the blast radius of malicious metric code.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The template encourages users to provide an external API URL and API key, but it does not warn that benchmark prompts, model outputs, and possibly sensitive evaluation data will be transmitted to a third-party service. In an evaluation workflow, users may test proprietary datasets or prompts, so omission of a disclosure increases the risk of unintended data exfiltration or policy violations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This file dynamically loads custom metric modules but provides no enforced user-facing warning or consent gate before executing them. In practice, importing a metric file runs arbitrary Python at import time, so users may reasonably believe they are only adding a scoring function when they are actually authorizing code execution. The lack of explicit warning makes misuse and social-engineering attacks more likely, especially in a skill intended for benchmark extension by end users.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.