Back to skill

Security audit

Gno

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local document-search skill, but it needs review because it gives an agent broad GNO command access that can index private files, change assistant configurations, run persistent services, export content, and delete local GNO data.

Install only if you trust the external GNO CLI and want an agent to manage a local knowledge index. Use narrow collections, avoid secrets and sensitive folders, prefer dry-run or preview modes before config or publish actions, do not enable MCP write tools unless needed, and avoid exposing the web UI beyond your machine unless you understand the network impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The CLI includes an MCP installation command that writes integration settings into external client configurations, which goes beyond local document search. In an agent/tooling context, config-writing capabilities can be abused to persist access paths or alter how other assistants invoke this tool, especially if a user does not realize install actions modify client config files.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Skill installation commands for external AI assistants are context-inappropriate for a document-search skill and create a configuration-modification pathway unrelated to ordinary search operations. In agent ecosystems, such install commands can enable persistence or unexpected cross-tool integration if invoked with broad trust and insufficient user awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly states the skill grants `Bash(gno:*)`, i.e. the agent may invoke arbitrary `gno` subcommands on the host. Even if this is scoped to the `gno` binary rather than a general shell, many CLI operations can still modify local indexes, publish data, install components, or otherwise change host state, and the README does not clearly warn users about those side effects. In a skill intended for autonomous agents, normalizing unrestricted command execution without strong safety guidance increases the risk of unintended destructive or privacy-impacting actions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documented reset command deletes all GNO data, including database, embeddings, and configuration, but the reference does not state the confirmation behavior or safeguards beyond a generic caution. In an agent-assisted environment, an underexplained destructive command raises the risk of accidental invocation and irreversible local data loss.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The MCP install command modifies client configuration files, but the documentation does not clearly warn users that running it will write to or overwrite those files. This omission can lead to unintended config changes, especially when commands are relayed through an assistant or copied without careful review.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The skill installation command can install or overwrite assistant configuration/integration files, but the reference does not prominently warn about these side effects. In practice this can cause unexpected local environment modification and make it easier for users to authorize changes they did not fully understand.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples encourage indexing personal and work directories without any caution that sensitive local files may be ingested, indexed, exposed in search results, or later processed by AI features. In a document-search skill, this omission increases the chance that users unknowingly include confidential material such as contracts, notes, credentials, or regulated data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The AI-answer examples show generating answers from indexed documents but do not warn that document chunks may be transmitted to or processed by local or remote models. Users may assume simple retrieval while actually exposing sensitive contract, note, or business content to model inference paths they did not intend to use.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The `--git-pull` maintenance examples omit that they change local repository state and may overwrite expectations about a working tree, fetch unreviewed upstream content, or trigger downstream reindexing on newly pulled files. While not inherently dangerous, examples that hide mutation can cause unintended operational changes in local docs repositories.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.