Back to skill

Security audit

Fulcra Ingest

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for Fulcra data ingestion, but it asks for broad automation and destructive account-data mutation that users should review before installing.

Install only if you are comfortable giving the agent authority to read, upload, create, and delete Fulcra ingestion data. Before using API/local fetching, scheduled monitoring, or correction workflows, confirm the exact source, destination, frequency, records affected, archive location, and how to stop or roll back the operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as ingesting files already placed in the Fulcra File Store, but the workflow expands that authority to directly fetch data from APIs, local services, and CLI tools. This broadens access beyond user-uploaded artifacts and can cause the agent to collect or transmit additional data sources the user did not intend to expose.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The instruction to proactively offer cron jobs, continuous loops, or heartbeat reminders introduces persistence and periodic monitoring behavior that exceeds a one-time ingestion task. Persistent automation increases the risk of over-collection, repeated access to sensitive directories or services, and unintended background processing without strong user awareness.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Allowing the skill to fetch directly from APIs, local services, and CLI tools materially expands its operational scope from file ingestion to active data acquisition. In an agent setting, that broader capability can expose credentials, local data, or network-reachable resources and makes misuse or accidental overreach more dangerous than the stated purpose suggests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow describes automatic fetching from external and local sources without a prominent privacy notice explaining what data may be accessed, where it will be uploaded, and what credentials or local context might be involved. Users may reasonably believe the skill only processes files they manually dropped into Fulcra, making silent expansion into network/local acquisition a meaningful privacy risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs deletion and re-ingestion of user data as part of correction workflows, but the destructive nature of deleting prior records is not prominently surfaced as a risk to the user. Even with archive guidance, an agent could remove or replace records unexpectedly, causing data loss, timeline inconsistencies, or difficult-to-reverse changes if mappings are wrong.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document includes a destructive `file delete` command for the Fulcra File Store without any warning, confirmation guidance, or safety constraints. In an autonomous ingestion skill, this increases the chance an agent will delete source exports or archives during routine workflow execution, causing irreversible data loss or loss of auditability.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions explicitly direct the agent to overwrite a shared persisted state file (`ingest/_meta/source_map.md`) after ingestion, but do not require user confirmation, version checks, or merge/conflict handling. In an autonomous workflow this can silently modify metadata relied on by future runs, causing state corruption, loss of prior notes or archive history, and hard-to-detect cross-run integrity issues.

Missing User Warnings

High
Confidence
97% confidence
Finding
The re-ingestion workflow tells the agent to fetch existing records, delete them using `DeletedRecord`, and then re-ingest, without mandating explicit user confirmation or safeguards for destructive operations. If triggered incorrectly or by ambiguous user input, this can cause irreversible data loss, inconsistent timelines, or accidental mass replacement of records under a source ID.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.