Back to skill

Security audit

Content Creator Pro

Security checks across malware telemetry and agentic risk

Overview

This is a coherent content-writing skill, but it needs Review because it can create ready-to-publish public content on schedules, persists performance/voice data, and under-discloses its local Python setup.

Install only if you are comfortable with an autonomous content workflow that writes local voice/performance files and queues public-facing posts. Review all generated posts before publication, explicitly opt in before enabling the Python tracker or cron jobs, and avoid storing secrets, customer data, or unverifiable personal claims in the skill’s files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The documentation instructs the agent to copy and execute a Python script from the skill bundle and verify a local runtime, expanding behavior from passive content generation into code execution. Executing bundled scripts increases the attack surface because a reviewer may approve a writing skill while overlooking that it also runs local code with workspace access.

Scope Creep

High
Confidence
97% confidence
Finding
The setup directs writing to /workspace/content/scripts/content_tracker.py, but that destination is outside the manifest's declared writable paths. This creates an undeclared write capability that can be abused to drop executable code into the workspace and later run it, bypassing the permission boundary the manifest is supposed to establish.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The manifest claims the skill performs filesystem operations only, but the instructions and cron entries require executing Python commands. That discrepancy can mislead operators into granting trust based on a lower-risk profile while the actual workflow includes code execution, which materially changes the security model.

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The documentation explicitly instructs the agent to create a missing `voice.md` file, which expands behavior from content generation into persistent file modification. Even if intended as convenience, implicit file writes can surprise users, alter workspace state, and create opportunities for downstream misuse if the agent writes sensitive, misleading, or policy-violating content without explicit approval.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly advertises persistent logging of content activity and audit events, but provides no notice about retention limits, access controls, or user/operator visibility into those logs. In an autonomous agent ecosystem, this can expose sensitive operational data, authored content, business strategy, or user-derived inputs to unintended readers and create privacy, compliance, and confidentiality risks.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The instruction implies the agent reads or creates `voice.md` before every piece, but does not clearly limit when this behavior should trigger or under what user-authorized conditions. Ambiguous trigger conditions increase the chance of unintended autonomous actions, especially in agentic systems that may execute workflow steps without a fresh confirmation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill describes automatic file creation without any user-facing warning, which creates a transparency and consent problem. In practice, silent workspace modification is risky because users may not realize the agent is persisting data, and other tools or agents may later consume that file as trusted input.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.