SkillOpt

Security checks across malware telemetry and agentic risk

Overview

SkillOpt is a coherent skill-optimization tool, but it includes broadly scoped shell execution paths that users should review before installing.

Install only if you plan to use it in a trusted workspace and understand that its helper can run local shell commands through --agent-command and command scorers in task files. Treat imported task suites as executable code, review command fields before running, and avoid using it on sensitive prompts or secrets unless you control where rollout logs are written.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (7)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "skill_path": skill_path, }, ) proc = subprocess.run( command, shell=True, cwd=scorer.get("cwd"),
Confidence: 97% confidence
Finding: proc = subprocess.run( command, shell=True, cwd=scorer.get("cwd"), text=True, capture_output=True, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "output_path": text_path, }, ) proc = subprocess.run( command, shell=True, cwd=args.cwd,
Confidence: 99% confidence
Finding: proc = subprocess.run( command, shell=True, cwd=args.cwd, text=True, capture_output=True, timeout=args.timeout,

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill instructs the agent to create directories and files, run a Python script, validate task files, and execute shell-based rollout commands, which are code-capable operations. Because the skill declares no permissions or safety boundaries, an integrating system may expose file and shell access without clear user consent or policy checks, increasing the chance of unintended local command execution or filesystem modification.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: Task-defined command scorers permit a task file to embed executable shell logic unrelated to simple data validation. In this skill context, tasks are inputs to the harness and may be externally sourced, so treating them as executable instructions expands the trust boundary and enables command execution during evaluation.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The run command is explicitly an arbitrary shell-command wrapper, which is dangerous because it turns the optimization harness into a general-purpose command executor. In a skill-optimization tool, this is more dangerous than a narrow, fixed integration because operators may run third-party tasks or templates and assume the harness is only evaluating skills.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The description is very broad and can trigger on generic requests about optimization, workflows, benchmarks, or skill improvement, causing the skill to activate outside a narrowly intended context. In this skill, over-broad activation is more dangerous because activation can lead to file edits and shell command suggestions or execution, amplifying the effect of a mistaken match.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The tool executes external commands and persists their outputs and metadata to files without any explicit safety disclosure or confirmation. This raises the risk of accidental execution of untrusted workflows, especially since the harness appears to be a benign evaluation utility but can run commands and capture potentially sensitive stdout/stderr into artifact files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal