Security audit

zlm

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it fetches the public ZLMediaKit project, checks GitHub issues and PRs, and writes a local report, with no evidence of hidden exfiltration or destructive behavior.

Install only if you are comfortable with the agent contacting GitHub, cloning or updating ZLMediaKit under the configured workspace, and writing a local report. If you provide GITHUB_TOKEN, use a low-scope token and treat it as a secret. For cautious use, set WORKSPACE_DIR to a dedicated folder and ask the agent before running sync or periodic workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run_cmd(cmd, cwd=None): print(f"Running: {cmd}") result = subprocess.run(cmd, shell=True, cwd=cwd, capture_output=True, text=True) if result.returncode != 0: print(f"Error executing {cmd}:\n{result.stderr}") return result.stdout.strip()
Confidence: 91% confidence
Finding: result = subprocess.run(cmd, shell=True, cwd=cwd, capture_output=True, text=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares required tools but does not declare permissions despite instructing the agent to use shell commands, access environment variables, write to a local workspace, and access the network. This creates a capability/permission mismatch that can lead to overly broad execution at runtime without clear consent boundaries or security review.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill description is broad enough that common requests about ZLMediaKit updates, issues, PRs, or source analysis could trigger it unexpectedly. Because the workflow includes code synchronization and external queries, an accidental invocation can cause unintended network access and local workspace modification without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documented workflow instructs the agent to run git clone/git pull and gh/curl commands, which both modify the local workspace and communicate with external services, but it does not require clear disclosure or confirmation to the user first. This creates a consent and safety problem because seemingly simple analysis requests could lead to persistent filesystem changes and network activity.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The README states that the skill will automatically clone/update a repository into a fixed local path and access the GitHub API, but it does not clearly disclose the privacy, network, and filesystem side effects to the operator. In an agent skill context, missing disclosure can lead users to trigger unexpected outbound requests and local writes, which is a real safety issue even if it is not inherently malicious.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger text is broad enough to activate on general requests about ZLMediaKit dynamics, issues, PRs, or source analysis, which can cause the skill to run shell and network operations more often than a user explicitly intended. Overbroad invocation increases the chance of unnecessary code pulls, remote queries, and local file changes in response to ambiguous prompts.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal