DiskMan

Security checks across malware telemetry and agentic risk

Overview

DiskMan is a real disk-management skill, but it gives agents broad power to delete, move, link, scan, and optionally send directory metadata to external AI providers without enough enforced safeguards.

Install only if you are comfortable giving this skill broad disk-management authority. Use dry-run first, verify exact resolved paths before cleanup or migration, back up important folders, avoid elevated privileges, and prefer rule-based or local AI mode when directory names or project paths are sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Delete source try: if os.name == "nt": subprocess.run( ["rmdir", "/s", "/q", str(source_path)], shell=True, capture_output=True,
Confidence: 98% confidence
Finding: subprocess.run( ["rmdir", "/s", "/q", str(source_path)], shell=True, capture_output=True, timeout=300,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Symbolic link: requires admin cmd = ["mklink", "/D", str(source_path), str(target_path)] result = subprocess.run( cmd, shell=True, capture_output=True,
Confidence: 99% confidence
Finding: result = subprocess.run( cmd, shell=True, capture_output=True, timeout=30, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Remove junction (doesn't delete target) try: if os.name == "nt": subprocess.run( ["rmdir", path], shell=True, capture_output=True,
Confidence: 98% confidence
Finding: subprocess.run( ["rmdir", path], shell=True, capture_output=True, timeout=60, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Create symbolic link try: if os.name == "nt": result = subprocess.run( ["mklink", "/D", path, actual_target], shell=True, capture_output=True,
Confidence: 99% confidence
Finding: result = subprocess.run( ["mklink", "/D", path, actual_target], shell=True, capture_output=True, timeout

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Rollback: remove target if we can't delete source try: if os.name == "nt": subprocess.run( ["rmdir", "/s", "/q", str(target_path)], shell=True, capture_output=True,
Confidence: 98% confidence
Finding: subprocess.run( ["rmdir", "/s", "/q", str(target_path)], shell=True, capture_output=True,

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The module and class documentation frame this as generic or local 'directory analysis,' but the implementation initializes an external OpenAI-compatible provider and sends directory metadata off-host. This mismatch can cause operators to underestimate that filesystem-derived information is being disclosed to a third party, creating a privacy and trust boundary issue even if no malicious behavior is intended.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly shows AI analysis sending scanned directory metadata and user context to external AI providers, but it does not warn users that potentially sensitive filesystem information may leave the local machine. In an AI-agent context, this increases the chance of accidental disclosure of usernames, project names, directory structures, or other sensitive operational data to third-party services.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README advertises cleanup and migration operations that can delete contents or move directories while creating links, but it does not prominently warn about the risk of data loss, broken applications, or the need to verify backups and dry-run behavior. For a tool intended for automation and AI-agent use, missing safety guidance makes destructive misuse more likely.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The analyze method sends directory path, size, link type, and file type metadata to an external AI provider without any disclosure, confirmation, minimization beyond a count cap, or apparent policy enforcement in this file. Directory paths and file-type patterns can reveal sensitive project names, usernames, mount points, customer identifiers, or system structure, so silent exfiltration of this metadata is a real confidentiality risk.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: These rules use broad names like `build`, `dist`, `out`, `target`, `temp`, `tmp`, `log`, and `logs` and mark them as deletable. In a directory-cleaning skill, such generic pattern matching can misclassify user-created folders or important application data, leading to unintended data loss if downstream components automatically act on these recommendations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The analyze_directories tool can send local directory metadata to an external AI provider whenever prefer_ai is true and the AI service is available, without requiring explicit per-call acknowledgment that local filesystem information will leave the host. In an MCP/server context, callers may treat analysis as local by default, so this can cause unintended data disclosure of directory names, structure, and size information to third parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal