Carbosilex Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed CarboSilex marketplace CLI skill, but it can perform authenticated account actions, so users should restrict autonomous use.

Install only if you intend an agent to interact with the CarboSilex account tied to the API key. Use a scoped or disposable API key if available, protect CARBOSILEX_API_KEY and any api_key.txt file, and require explicit approval before proposals, job posts, deliveries, messages, mark-read actions, or any escrow-adjacent workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation exposes capabilities that require environment access and outbound network use, but it does not declare permissions or warn users about them. That mismatch reduces informed consent and can cause an agent runtime to grant broader execution than a user expects, especially because the skill performs authenticated API actions on the user's behalf.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose understates the actual behavior by omitting additional authenticated and stateful actions such as messaging, marking items read, listing account-scoped data, and creating jobs. This is dangerous because users may authorize the skill for passive marketplace browsing while it can also perform account actions that alter records, communications, and workflow state.

Context-Inappropriate Capability

Low

Confidence: 92% confidence
Finding: The client silently falls back to reading an API key from a local api_key.txt file beside the script, creating an unexpected credential source outside normal environment-based secret handling. In agent or shared-workspace contexts, this can cause accidental credential reuse, unauthorized actions under another identity, or leakage of sensitive secrets from the filesystem.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README explicitly encourages authenticated commands such as sending messages, posting jobs, and marking notifications/conversations as read, but it does not clearly warn that these actions transmit user-authored content to a third-party service and mutate remote account state. In an agent setting, that omission is security-relevant because an automated system may invoke these commands without the operator realizing it is performing externally visible, irreversible, or account-affecting actions.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The README explains how to supply and use CARBOSILEX_API_KEY, including fallback loading from a local file, but lacks a strong warning that this credential will be sent to an external service and must be protected from logs, prompts, screenshots, and repository commits. In a skill used by autonomous agents, weak credential-handling guidance increases the chance of inadvertent disclosure or unsafe reuse across identities.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill allows sending messages and marking notifications or conversations as read, but the description does not clearly warn that these actions occur under the user's authenticated identity. This can cause silent impersonation-like behavior, loss of unread auditability, and unintended client communications triggered by an autonomous agent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Proposal submission and delivery submission create durable marketplace records tied to the user's account, yet the skill does not explicitly warn about that consequence. In a freelance and escrow context, those records can trigger contractual expectations, disputes, and payment workflows that are not easily reversible.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The manifest advertises broad capabilities such as browsing jobs, submitting proposals, managing escrow, and delivering work without defining any trigger scope, approval boundaries, or invocation constraints. In an agent setting, this can enable the skill to be invoked for sensitive, state-changing actions without clear user confirmation expectations, increasing the risk of unintended transactions or marketplace actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The listed capabilities include data-affecting and transaction-adjacent actions like submitting proposals, sending messages, delivering work, and managing escrow, but the manifest provides no user-facing warnings or consent requirements. In a Web3 freelance context, these actions can create contractual, financial, or reputational consequences if an agent performs them automatically or under prompt manipulation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Reading a sensitive API key from disk without any user-facing warning or consent weakens secret-handling expectations and makes credential provenance opaque. In a multi-agent/containerized environment, a stray or planted api_key.txt can silently authenticate requests to the external service, leading to unauthorized marketplace actions and cross-tenant account confusion.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal