Fang: protect your env variables from being stealed.

Security checks across malware telemetry and agentic risk

Overview

Fang is a disclosed security-audit skill that scans chosen skill directories locally by default, with an optional code-upload LLM review mode users should treat carefully.

Use the default static scan for sensitive or proprietary code. Only enable --llm-key with a trusted provider or local endpoint, choose a narrow target directory, and assume any scanned script content may be sent to that configured service in LLM mode.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill documentation describes capabilities to read environment variables, scan files, write reports, invoke shell commands, and optionally send code contents to an external LLM, but it does not declare permissions or clearly bound those powers. That mismatch reduces transparency and weakens least-privilege review, making it easier for a high-access auditing skill to be installed and trusted without adequate scrutiny.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The optional deep-analysis path sends collected script contents to an external LLM service, which can expose proprietary code, embedded secrets, or sensitive local data from audited skills. Although this is framed as a security feature and requires the user to supply an API key, it still expands the trust boundary beyond local auditing and creates a real data-exposure risk.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Allowing a user-supplied arbitrary base URL means audited source code can be posted to any endpoint, not just a vetted LLM provider, enabling easy exfiltration of sensitive code and secrets under the guise of analysis. In a security-audit skill, this capability is broader than necessary and increases the chance of misuse or accidental disclosure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that it reads script files and sends them to an OpenAI-compatible LLM, but the documentation does not prominently warn that source code and potentially embedded secrets may leave the local system. In a security-audit tool, this is especially sensitive because scanned files may contain credentials, proprietary logic, or other confidential material that would be exfiltrated to a third party or remote service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code uploads file contents when --llm-key is provided, but it does not present a clear user-facing warning at the point of transmission that local scripts may contain secrets or confidential source. Users may reasonably assume an env-theft scanner operates locally, so the lack of explicit disclosure can lead to unintended off-system leakage.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal