Eternal System Health

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local system health reporting skill, with privacy cautions around DNS checks, process details, and saved reports.

Install only if you are comfortable running a local diagnostic script that reads system state, runs standard tools such as df/ip/ps, performs a DNS lookup to google.com, and may save host and process details to a file you choose. Avoid saving reports in shared, synced, or world-readable locations unless that system information is safe to disclose.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation advertises shell execution (`python3 scripts/syshealth.py ...`) and file output capabilities (`--output, -o`) but declares no permissions. That mismatch can cause downstream systems or users to trust the skill more than they should, reducing visibility into its ability to execute commands and write data to disk.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill performs an external DNS/network reachability check (`google.com`) as part of health reporting, which causes outbound traffic to a third party without explicit user consent. In a system-health context, this expands the trust boundary and can leak metadata such as host activity timing, DNS configuration behavior, and network egress capability.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Hardcoding `google.com` for DNS testing is not clearly necessary for the stated purpose and creates an undocumented outbound dependency on an external provider. This can violate privacy expectations, fail in restricted environments, and expose environment/network behavior to a third party whenever the report runs.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill explicitly supports writing reports to a file but does not warn that system-health reports may contain sensitive operational data such as host details, process information, disk usage, or network state. This increases the risk of inadvertent persistence of sensitive information on disk where other users, backups, or logging systems may later access it.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The report includes hostname, network interfaces, IPs, uptime, and top process command lines, then writes them to any user-supplied file path without warning about sensitivity. This can lead to unintended disclosure if saved into shared locations, logs, or world-readable directories, especially in multi-user or managed environments.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The DNS check silently contacts an external service during routine health reporting without disclosing that behavior to the user. In a monitoring tool, undisclosed outbound requests are security-relevant because they may violate policy, surprise operators, and leak execution timing or environment metadata.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal