Knowledge Graph - Transitive Closure Generator

Security checks across malware telemetry and agentic risk

Overview

This is a local graph-analysis skill with an advertised cycle-detection feature that is not actually implemented, but it does not seek sensitive access or perform hidden actions.

Install only if you are comfortable treating it as a basic local transitive-closure helper. Do not rely on its advertised cycle-detection result or unsupported algorithms until those gaps are fixed and tested.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill advertises cycle detection support via metadata/configuration, but no code actually detects cycles and `has_cycle` is never updated from its default value. Consumers may make security- or correctness-relevant decisions based on a false belief that cyclic dependencies will be identified, which can cause unsafe graph expansion, bad dependency analysis, or policy bypass in downstream workflows.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The configuration field `detect_cycles` and the reported statistic `has_cycle` imply that the engine evaluates cycles, but the flag is ignored and the statistic is always false. This is dangerous because callers may trust the API contract and omit their own validation, leading to silent logic errors in dependency or hierarchy analysis where cycles matter.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal