Back to skill

Security audit

Skills Summarize Audit

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real skill-audit tool, but it asks agents to read broad local skill/project data, use network search, persist audit data, and perform skill modifications with some defaults that are broader than its summary suggests.

Review this skill before installing if your skill directories or project memories contain private prompts, credentials, or proprietary workflow notes. Prefer the manual download-and-verify install path, disable default network/community-feed and persistence features unless you need them, and run it first in a disposable or clean workspace before allowing archive, install, update, or rollback actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (33)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly describes broad file-reading behavior across skill directories and project files, but the metadata declares no explicit permissions. Undeclared read capabilities reduce transparency and prevent platforms from enforcing least privilege, which can expose unrelated local files during an audit run.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documentation presents the skill as an audit/reporting tool, but it also states that it may install tools, create config files, create user-profile files, and perform rollback or execution actions. This description-behavior mismatch can mislead users into authorizing a seemingly read-only audit that actually modifies the environment and reaches external sources.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The README instructs users to execute remote scripts directly from the network via shell and PowerShell pipelines. Even though it includes a warning and offers a safer download-and-verify path, normalizing one-line remote execution creates a supply-chain risk: a compromised repository, account, CDN, or network path could lead to arbitrary code execution on the user's machine.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill says missing dependencies may be auto-installed and missing files may be auto-generated, which turns an audit function into an environment-modifying workflow. Automatic mutation expands the attack surface and can lead to unwanted package installation, config drift, or persistence on systems where users expected inspection only.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill includes external GitHub/community search and signal collection beyond a local directory audit. External lookups introduce data exposure, supply-chain influence, and nondeterministic behavior, especially when recommendations or validations depend on remote content.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
One section states the skill only scans the current directory, while other sections describe writing project-profile files, creating configs, snapshot backups, rollback, and optional external operations. Contradictory scope statements can cause users or orchestrators to underestimate the skill's reach and approve actions they would otherwise block.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The CI workflow allows the audit command to use WebSearch and WebFetch even though the stated task is auditing local skill directories and generating a report. In a CI context, unnecessary network-capable tools expand the attack surface: a malicious or compromised skill, prompt, or tool invocation path could exfiltrate repository data or pull untrusted remote content that influences the audit result.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document states that scanning is limited to the current working directory, but it also instructs the agent to consult .data/project-profiles.json for freshness checks. That creates a scope mismatch that can lead to unexpected reads outside the declared boundary, weakening user expectations and directory isolation.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The flow is presented as a scan/profile step, but it mandates persistent writes to {project}/.agents/project-profile.md with persisted=true. This turns a read-oriented audit action into a state-changing operation without clearly separating analysis from modification, which can surprise users and alter repositories unintentionally.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill is described as a local directory auditing tool, but the documentation explicitly adds a fallback to web search when local reference files are missing. This expands the trust boundary and can cause nondeterministic behavior, external data dependency, and possible prompt/data injection from remote content, which is unjustified for the stated purpose.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This step expands the skill from local directory auditing into active network reconnaissance against GitHub and possibly other external sources. That creates a material scope mismatch: a user invoking a local audit tool may unintentionally trigger outbound requests, external data collection, and dependency on remote services not clearly reflected in the skill metadata.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The cache design introduces local state persistence that goes beyond a one-shot audit/reporting workflow and is not transparently disclosed. Persisting search queries, gaps, and recommendations can leak project interests or internal capability deficiencies to local storage where other tools or users may later access them.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The fallback to WebFetch or another agent broadens the trust boundary and can send search terms or derived project gaps to external systems without clear justification or notice. Because the fallback is automatic in the documented flow, users may not realize that a local audit can pivot into remote retrieval through alternate tooling.

Natural-Language Policy Violations

Medium
Confidence
85% confidence
Finding
The changelog explicitly states that the skill performs automatic language switching based on the user's session language, but does not mention an explicit opt-in or confirmation step. In an auditing/reporting skill, silently altering translation direction or output language can cause unintended data handling and user-surprising behavior, especially when mixed-language content or sensitive text is involved.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Broad trigger words like '回滚', '撤销', '恢复', 'rollback', and 'revert' are common conversational terms and may activate the skill unintentionally. Because this skill advertises snapshot and undo behavior, accidental triggering could lead to unintended state changes or restoration actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill mentions automatic installation and file generation in prerequisite handling, but the overall presentation emphasizes audit/reporting and does not prominently warn that the environment may be modified. This can cause users to invoke the skill under false assumptions about safety and reversibility.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill explicitly instructs reading local files such as config.yaml, memories/MEMORY.md, and user-profile.md, which may contain sensitive configuration or personal data, but it does not surface a clear consent boundary or minimization rule to the user. In an agent skill context, silent local file access increases the risk of over-collection and accidental disclosure in reports or downstream outputs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction forces persistence of derived project data to disk without any warning or consent mechanism. Writing files into a project can leak metadata, create unwanted diffs, and interfere with clean working trees or automated workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatic re-profiling based on staleness triggers repeated scanning and profile updates without warning. In practice this can cause recurring filesystem access and silent file modifications, increasing operational surprise and the chance of unintended data churn.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The file describes writing a cache snapshot locally but provides no warning that audit-derived data will be persisted. Even if the data is not highly sensitive by default, silent retention of project gaps, searches, and recommendations is a transparency and privacy problem that can expose internal analysis over time.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The documented fallback to WebFetch or agent-reach lacks any warning that the skill may use network access and transmit search queries externally. This weakens informed consent and can surprise users operating in privacy-sensitive or offline audit environments.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The document instructs the skill to persist data to .data/stats.json before report output, but provides no user-facing notice, consent step, or safeguard around modifying local files. In an agent skill context, silent filesystem writes can violate user expectations, create unintended state, and become a stepping stone for broader unsafe side effects when run in automation or CI.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The flow specifies automatic snapshot creation for all editable skills and automatic garbage collection based on retention days, but it does not warn users that running the skill changes disk state and may retain or delete copies of skill data. In an audit/automation context, undisclosed backup and cleanup behavior can surprise operators, consume storage, and affect sensitive local content handling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document explicitly describes automatic garbage collection of cache entries and old snapshots, but provides no warning, confirmation model, or safeguard around deletion of locally stored data. In the context of an auditing/persistence workflow, silent cleanup can cause unintended data loss, reduce forensic traceability, and surprise operators who expect retained snapshots or cached signals to remain available.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The template hard-codes a workflow that rewrites descriptions into Chinese (for example, '纯英文→中文化') without any user preference check or opt-in. This is a policy and UX safety issue because it can cause unwanted content transformation, override project language conventions, and produce misleading audit actions when the repository is intentionally multilingual or English-only.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.