V2ray Proxy

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a proxy helper, but it includes risky command execution and persistent shell-profile changes that users may not expect.

Install only if you are comfortable reviewing and controlling the shell script yourself. Before use, remove or replace the eval-based wrapper, confirm whether it edits ~/.bashrc, and make sure any system proxy changes have a clear rollback path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: This is a serious issue if the underlying skill actually exposes a `wrap` feature that `eval`s arbitrary input and modifies `~/.bashrc` for persistence, because that behavior far exceeds the stated purpose of proxy management. In a proxy-management skill, hidden arbitrary command execution and shell profile modification create a high-risk path to command injection, persistence, and user-environment compromise.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The `wrap()` function is a generic command-execution wrapper that uses `eval` on user-supplied input, which goes beyond basic proxy management and creates a command-injection surface. In an agent skill context, this is especially risky because higher-level tooling may pass untrusted or loosely validated strings into the wrapper, resulting in arbitrary shell execution.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The script appends to `~/.bashrc`, creating persistent user-environment changes that are not disclosed in the skill description or help text. Undisclosed persistence is dangerous because it survives the current session, can alter future shell behavior, and reduces user control over what the skill changes on the host.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README advertises automatically enabling and disabling the system proxy, but it does not clearly warn users that the skill modifies global network settings affecting other applications. In an agent skill context, silent or poorly disclosed system proxy changes can redirect traffic, break connectivity, or unexpectedly route unrelated application traffic through a local proxy service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Using `eval "$cmd"` to execute arbitrary commands without an explicit warning or strict input handling is a real security issue, not just a usability problem. If any untrusted input reaches `wrap`, shell metacharacters can be interpreted, enabling arbitrary command execution with the privileges of the user running the skill.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: Persistent modification of `~/.bashrc` without explicit warning in the help text or manifest creates hidden side effects that users may not expect. In a skill intended to manage proxy state, undisclosed startup-file edits make the behavior more dangerous because they blur the boundary between temporary runtime configuration and lasting system changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal