胡田 OPC导师技术尽调

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real due-diligence helper, but it needs review because it handles confidential deal data and credentials, stores reports, and includes verifier behavior that can make weak reports look trustworthy.

Install only after tightening controls: use platform-managed least-privilege secrets instead of markdown files, require explicit approval before uploading or writing back documents, redact personal and commercial details before search or storage, and treat generated reports as drafts until every claim is independently verified.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The workflow explicitly instructs the skill to obtain IMA API credentials from SECRET.md or environment variables, expanding the skill from analysis into secret access. For a due-diligence skill, this creates unnecessary privilege exposure and can enable unauthorized use of external systems or credential leakage if the skill is misused, logged, or repurposed.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The skill is presented as an initial due-diligence screening tool, but the documented flow includes append_doc writes that persist generated reports into the IMA knowledge base. This broadens the data-handling surface from transient analysis to durable storage, increasing risk of unauthorized retention, contamination of internal knowledge stores, and unintended downstream reuse of sensitive project information.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The script presents itself as a due-diligence report verifier, but the factual verification logic is hard-coded to specific expected strings for one company. In an investment due-diligence context, this can falsely validate misleading reports that merely include the expected claims, creating a serious integrity failure and enabling bad investment decisions.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The compliance function computes checks and even tracks failures, but it always prints a passing result and returns True. In a technical due-diligence workflow, this can systematically mislabel non-compliant or incomplete reports as acceptable, undermining controls and creating a false sense of assurance for downstream decision-makers.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs users to collect and verify team-member identities, project materials, patent details, and supporting documents, but provides no privacy, minimization, retention, or consent guidance. In a due-diligence context this can lead to unnecessary collection or mishandling of personal and commercially sensitive data, especially when users are prompted to search individual names and gather raw reports.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill enables `search_web`, `browser-use`, and `file_operations` for investigative workflows without warning that inputs, project documents, or personal details may be transmitted to third-party services or written to local storage. That increases the risk of accidental disclosure of confidential investment materials, personally identifiable information, or proprietary technical documents during normal use.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document instructs operators to import customer source documents and later write due-diligence reports back into IMA, but it does not disclose that customer materials and derived analysis will be uploaded and persistently stored. In a due-diligence context, these documents may contain highly sensitive commercial, technical, legal, or personal data, so silent persistence creates a meaningful privacy and confidentiality risk.

Missing User Warnings

Low

Confidence: 76% confidence
Finding: The workflow directs the skill to use web search when internal sources are insufficient, but gives no warning that project names, founder names, patent numbers, or technical keywords may be disclosed to third-party search providers. In due diligence, even query metadata can reveal confidential deal activity or sensitive target information.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Referencing SECRET.md and environment variables for authentication without explicit handling safeguards normalizes direct secret access while omitting warnings about secrecy, logging, output leakage, or reuse. This is especially risky because the same section also clarifies which token is the usable API key, making accidental misuse or extraction easier.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal