Back to skill

Security audit

Agent Step Sequencer

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local step scheduler that runs user-approved multi-step work through a configured agent and heartbeat.

Install this only if you want approved multi-step tasks to continue through heartbeat automation. Set STEP_AGENT_CMD and STEP_RUNNER only to trusted local commands or paths, review the generated plan before sensitive work, avoid placing secrets in step instructions, and disable the heartbeat or mark state DONE when automation should stop.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
agent_cmd = get_agent_cmd() + [prompt]
    try:
        result = subprocess.run(
            agent_cmd,
            capture_output=True,
            text=True,
Confidence
95% confidence
Finding
result = subprocess.run( agent_cmd, capture_output=True, text=True, timeout=3600, shell=False, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions while explicitly depending on environment variables, file writes to persistent state, and shell/subprocess execution via Python and STEP_AGENT_CMD. This creates a capability transparency gap: operators may trust and install it without realizing it can execute external commands and persist/modify workflow state, which increases the chance of unsafe deployment or misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose emphasizes planning and waiting for confirmation, but the documented behavior includes autonomous execution, retries, output validation, environment-driven invocation, and auto-advancement across steps. That mismatch is dangerous because users may grant trust based on a 'scheduler' description while the skill actually acts as an unattended orchestration layer that can repeatedly launch an external agent and continue work without additional user approval.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script resolves the executable runner from the STEP_RUNNER environment variable and then runs it with the current Python interpreter, allowing an attacker who can influence environment variables or process launch context to cause execution of arbitrary local Python code. In an agent skill context, this is more dangerous because the component is specifically designed to run automatically during heartbeat or orchestration flows, turning a configuration override into unattended code execution.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation guidance is broad enough that the skill may trigger for many normal requests involving multiple actions, setup, or perceived risk, causing the agent to enter an autonomous queued workflow more often than the user expects. In this skill's context, over-activation is more dangerous because activation leads to persisted state, heartbeat resumption, and external agent execution rather than a simple advisory planning mode.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The multi-step detection rules rely on vague linguistic cues such as 'then', 'set up', 'complete', or 'step by step' without strong limiting conditions. In this skill, such ambiguity can incorrectly escalate ordinary prompts into a self-resuming execution pipeline, increasing the risk of unintended autonomous actions and reducing meaningful user control.

Unvalidated Output Injection

High
Category
Output Handling
Content
agent_cmd = get_agent_cmd() + [prompt]
    try:
        result = subprocess.run(
            agent_cmd,
            capture_output=True,
            text=True,
Confidence
91% confidence
Finding
subprocess.run( agent_cmd, capture_output

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.