Back to skill

Security audit

ML Evolution Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a user-run ML competition template with disclosed local training, experiment memory, and an optional Kaggle submission step, not hidden or malicious behavior.

Install only if you are comfortable running and adapting ML training code. Keep auto-submit disabled unless you explicitly approve the competition, file, and message; avoid storing secrets or raw sensitive data in memory files; and verify or supply the missing ml_evolution implementation and dependencies before relying on the quick-start workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The target-statistics features are computed once on the full training set before cross-validation, so each validation fold is encoded using its own labels. This causes target leakage and inflates offline CV scores, which can mislead downstream automated experimentation and model selection in this ML agent context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal