Shorts Builder

Security checks across malware telemetry and agentic risk

Overview

This story-writing skill is mostly purpose-aligned, but its local graph storage can escape its intended folder if a crafted pipeline ID is used.

Review before installing. Use only skill-generated pipeline IDs, avoid sensitive private story material, and consider fixing the package first by validating pipeline_id to a safe identifier pattern, resolving paths under data/graphs, adding deletion confirmation or recovery, and aligning the retry limit and storage documentation with the code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documentation describes persistent local state in `data/pipeline_state.json` and file-backed workflow behavior, but no corresponding permissions are declared. Undeclared file read/write capability is a real security issue because it hides the skill's data access from the permission model and can lead to unauthorized storage of user-generated content, metadata, or later expansion to broader local file access. The story content may also contain sensitive user material, making silent persistence more risky in this context.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The file path is built by joining the storage directory with a user-controlled pipeline_id and a .json suffix, without validating or normalizing the identifier. An attacker can supply path traversal sequences such as '../' to cause reads, writes, and deletion of files outside the intended graph directory, which exceeds the stated purpose of local story graph management.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module claims to manage graph data in local JSON storage, but because pipeline_id is used directly in path construction, the implementation can access files outside that local graph store. This mismatch is security-relevant because callers may trust the documented scope while the code actually permits broader filesystem access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal