Back to skill

Security audit

Ai Shifu Course Creator

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for AI-Shifu course work, but it can use your account token to publish, modify, delete, and query sensitive course data with limited confirmation safeguards.

Install only if you want an agent to manage real AI-Shifu courses from your account. Before letting it run, confirm any publish, archive, delete-lesson, set-access, set-tts, or import into an existing course; protect or remove the skill .env token when not needed; and consider pinning/updating dependencies before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to use powerful capabilities including shell, network, file read/write, and environment-backed authentication flows, but no explicit permission declaration or capability scoping is present. In a long, tool-oriented skill like this, missing permission boundaries increases the chance of unintended command execution, data exposure, or unsafe file/network access if the skill is invoked in the wrong context or influenced by adversarial user input.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description is extremely broad and can activate the skill for routine mentions of AI-Shifu, analytics, authoring, deployment, and learner data topics. Because this skill contains instructions to verify auth, use CLI tooling, read/write files, query analytics, and publish/manage courses, over-triggering materially increases the chance that high-privilege behaviors are brought into conversations where they are unnecessary or unsafe.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The example hard-codes the writing style to English (en-US) even though the file earlier states that actual output language should follow language-resolution rules. In a skill that is supposed to support multilingual course authoring, forcing English without explicit user choice can override user intent, produce incorrect learner-facing content, and create downstream publishing or compliance issues for courses expected in another language.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The contract hard-codes `default_fallback_language` to `zh-CN`, which can cause outputs to be generated in Chinese when no stronger language signal is present. In this skill, that can misdirect learners, hide critical deployment or analytics details from the operator, and create integrity/safety issues through misunderstanding, but it is not a direct code-execution or data-exfiltration flaw.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The import path deletes all existing course outlines before recreating them, but there is no explicit destructive-operation confirmation, dry-run, or prominent warning at the user interface boundary. In a course-management skill, that makes accidental data loss more dangerous because a mistaken command or wrong `shifu_bid` can wipe lesson structure for a live course before the user realizes what happened.

Credential Access

High
Category
Privilege Escalation
Content
def save_env(token):
    """Persist token to the skill's .env file."""
    env_path = str(ENV_FILE)
    if not ENV_FILE.exists():
        ENV_FILE.parent.mkdir(parents=True, exist_ok=True)
Confidence
72% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28
python-dotenv>=1.0
Pillow>=10.3.0
pillow-heif>=0.13
Confidence
94% confidence
Finding
requests>=2.28

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28
python-dotenv>=1.0
Pillow>=10.3.0
pillow-heif>=0.13
Confidence
94% confidence
Finding
python-dotenv>=1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28
python-dotenv>=1.0
Pillow>=10.3.0
pillow-heif>=0.13
Confidence
95% confidence
Finding
Pillow>=10.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28
python-dotenv>=1.0
Pillow>=10.3.0
pillow-heif>=0.13
Confidence
93% confidence
Finding
pillow-heif>=0.13

Known Vulnerable Dependency: requests==2.28 — 7 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +4 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
requests==2.28

Known Vulnerable Dependency: python-dotenv==1.0 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
74% confidence
Finding
python-dotenv==1.0

Known Vulnerable Dependency: Pillow==10.3.0 — 6 advisory(ies): CVE-2026-25990 (Pillow affected by out-of-bounds write when loading PSD images); CVE-2026-42311 (Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)); CVE-2026-42310 (Pillow has a PDF Parsing Trailer Infinite Loop (DoS)) +3 more

High
Category
Supply Chain
Confidence
91% confidence
Finding
Pillow==10.3.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.