Back to skill

Security audit

Skill Security Checker

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent local security scanner, but it has under-disclosed automatic network and cache behavior that users should review before installing.

Install only if you are comfortable with a scanner reading the target skill directory. In sensitive or offline environments, run it with --skip-update to prevent GitHub update checks, and choose report output paths deliberately because the tool can write reports and may create an update cache in the user's home directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises capabilities consistent with file I/O, networking, and shell-style execution examples, yet it does not declare permissions or scope boundaries. This creates a transparency and least-privilege problem: users and hosting platforms cannot accurately assess what access the skill may require, increasing the risk of overbroad execution or unsafe deployment assumptions.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation claims scanning is local/offline or implies networking is unnecessary, while elsewhere it states the tool automatically contacts GitHub for update checks. Contradictory security claims can mislead users into running the skill in sensitive environments under false assumptions about egress behavior.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The security statement says the tool only reads files and never writes, but the usage examples explicitly support writing JSON/HTML reports to disk. This is a material misrepresentation of side effects that can affect trust, filesystem safety expectations, and use in restricted or forensics-sensitive environments.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The tool performs an outbound update check to GitHub and caches the result, which extends behavior beyond a purely local audit engine. Even though the destination is hard-coded and the feature is not overtly malicious, it introduces undeclared network egress and privacy/operational risk in environments that expect offline or non-networked analysis.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code phones home to api.github.com for release metadata, a capability not required for core static auditing. In security-sensitive workflows, unexpected outbound connections can leak usage patterns, break policy compliance, or create a dependency on external infrastructure.

Vague Triggers

High
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match ordinary user requests like 'scan this skill' or 'is this safe,' which can cause the skill to activate unexpectedly. Overbroad invocation increases the chance of accidental access to local paths, unintended scanning of user content, or execution in contexts where the user did not mean to invoke this skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The request sends a User-Agent string containing the tool name and version without any user-facing warning that network communication will occur. While limited, this still discloses tool usage metadata and confirms execution from the host to a third party.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The tool writes an update cache file into the user's home directory without explicit disclosure or consent. This is low severity, but it is still persistent state outside the scanned project and may be undesirable in constrained or privacy-sensitive environments.

External Transmission

Medium
Category
Data Exfiltration
Content
}

# Update check URL and version info
UPDATE_CHECK_URL = "https://api.github.com/repos/njskills/skill-security-checker/releases/latest"
CURRENT_VERSION = "1.3.0"

# Update check cache TTL (hours)
Confidence
94% confidence
Finding
https://api.github.com/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.