llms.txt File Builder

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward llms.txt generator and validator that uses expected website fetching and local file input/output, with some normal caution needed around untrusted URLs and output paths.

Install only if you want a local Python helper for llms.txt work. Run it on public sites and files you trust, review the --output path before writing, and use --check-urls only when you are comfortable with the tool contacting URLs contained in the file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Tainted flow: 'url' from input (line 189, user input) → requests.get (network output)

Medium

Category: Data Flow
Content: """Fetch a URL with error handling.""" url = full_url or urljoin(self.base_url, path) try: resp = requests.get(url, timeout=self.timeout, allow_redirects=True) if resp.status_code == 200: return resp except:
Confidence: 92% confidence
Finding: resp = requests.get(url, timeout=self.timeout, allow_redirects=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises executable workflows that read and write local files and perform network access, but it declares no permissions or trust boundaries. That creates a transparency and governance gap: users or orchestrators may invoke a capability set broader than expected, including fetching remote content and writing generated output to disk. In this context, the risk is elevated because the skill is explicitly designed to crawl websites and produce files, so undeclared capabilities can enable unintended data access, SSRF-like fetches to arbitrary domains, or unsafe writes if downstream code is not constrained.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 80% confidence
Finding: The skill description does not accurately reflect behavior: it implies generation/validation/optimization of llms.txt, while the referenced workflow also performs live HTTP checks and lacks a concrete optimization flow. Behavioral mismatch is security-relevant because operators may approve or auto-route the skill under a narrower trust model than its actual runtime behavior, especially when network access is involved. In this skill's context, checking live URLs can trigger outbound requests to attacker-controlled or sensitive targets, increasing risk beyond simple document generation.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger text is broad enough to match generic requests such as making a site more AI-readable or improving visibility in AI search, which may cause this skill to activate outside its narrow intended use. Overbroad invocation criteria are dangerous because they can unexpectedly grant the skill opportunities to read, write, and fetch network data in conversations where the user did not specifically request llms.txt generation. The context makes this more concerning because the skill includes operational actions, not just advice, so accidental activation can lead to unintended external requests or file creation.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The optional --check-urls path performs outbound HTTP requests to URLs parsed from the input file, which can cause unintended network access when validating untrusted content. In an agent/skill context, this creates an SSRF-like primitive and privacy risk because attacker-controlled llms.txt content could trigger connections to internal services, cloud metadata endpoints, or other sensitive hosts if a user enables live checking.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal