Back to skill

Security audit

zzr-testUpload-skill

Security checks across malware telemetry and agentic risk

Overview

This DEV log-search skill is mostly coherent, but it gives agents automatic access to sensitive backend logs and raw supplier request/response payloads without enough redaction or user control.

Install only if you are authorized to access this DEV log system and comfortable with agents retrieving, saving, and displaying raw backend HTTP payloads. Treat ~/.DEV_SKILL/dev-find-log/config.json and downloaded logs as sensitive, delete old executeId directories after use, and avoid sharing outputs unless raw URLs, tokens, identifiers, and personal or order data have been reviewed and redacted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly directs file reads/writes to a local cache and credential file, and network access to a shared gateway, yet no explicit permissions model is declared. This creates hidden capability expansion: an agent may perform sensitive log access, credential handling, and remote queries without transparent review or least-privilege controls.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match ordinary support requests such as 'check dev logs' or generic troubleshooting language, which can cause the skill to auto-activate in contexts where the user did not intend sensitive log retrieval. Because the skill can then access remote logs and local cache files, overbroad activation materially increases the chance of unnecessary data exposure.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The keyword list mixes service names, environments, and generic terms like grep and logs without sufficient scope constraints, making accidental invocation likely. In a skill that performs broad backend searches and data extraction, this raises the risk of collecting and returning sensitive operational data unrelated to the user's intended request.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly requires automatic disclosure of underlying HTTP request and response messages once supplier-side errors are confirmed, without any user-facing warning or redaction requirement. Those payloads can contain credentials, tokens, PII, order details, or partner secrets, so automatic disclosure creates a direct sensitive-data exposure path.

Missing User Warnings

High
Confidence
96% confidence
Finding
The workflow mandates automatic supplier-side searching, downloading, and extraction in the same conversation round without warning about privacy, sensitivity, or operational impact. This removes human review before collecting potentially confidential third-party traffic and increases the likelihood of over-collection and inappropriate disclosure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The instructions tell users to place account-linked tokens in a local config file under the home directory but provide no strong warning about credential sensitivity, file permissions, rotation, or safer storage mechanisms. That encourages insecure credential storage that could be exposed to other local processes, backups, or accidental sharing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly recommends storing DEV authentication material in a local config file and notes that the script will automatically inject the token into requests. Even though this is a test environment, bearer-like tokens in plaintext local storage increase the risk of credential exposure via filesystem compromise, backups, shell history, or accidental sharing, and the skill context is more sensitive because it also enables broad log access.

Missing User Warnings

Low
Confidence
73% confidence
Finding
The API reference states that downloaded logs are saved automatically to a predictable path under the user's home directory without warning about local persistence. Because logs commonly contain request metadata, identifiers, and possibly sensitive payloads, silent disk writes can create unintended data retention and secondary exposure on shared machines or through backups; this skill's log-investigation purpose makes that risk more relevant.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script explicitly extracts and outputs raw downstream HTTP request/response content from supplier-side logs, and related code paths also download and persist logs locally under the user's home directory. In this skill context, those payloads can reasonably contain credentials, tokens, PII, booking/order data, or other sensitive business data, and the code provides no masking, access control, consent check, or privacy warning before exposing them.

Ssd 3

High
Confidence
98% confidence
Finding
Forcing the agent to disclose underlying HTTP request/response contents from logs is a classic sensitive-data disclosure issue. Log payloads often include authentication material, internal endpoints, PII, booking/order data, and proprietary partner responses, so returning them directly to the user can leak secrets far beyond what is needed for troubleshooting.

Ssd 3

High
Confidence
98% confidence
Finding
The skill mandates automatic extraction and user-facing disclosure of supplier request/response payloads without asking the user, which bypasses consent and least-disclosure principles. In context, these are backend integration logs from a shared gateway and likely contain sensitive technical and business data, making the requirement especially dangerous.

Ssd 3

High
Confidence
99% confidence
Finding
The response template requires inclusion of raw supplier HTTP URL and request/response JSON in replies, which hard-codes sensitive-data exposure into normal operation. URLs and JSON bodies may reveal internal topology, API keys, auth tokens, customer data, or commercial partner details, so the disclosure risk is systematic rather than incidental.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.