Back to skill

Security audit

Saturnday

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper around the Saturnday governance/build tool, but its run and guard modes can modify repositories and send code to AI backends.

Install only if you trust the external Saturnday package. Use scan mode for lower-impact review, and run guard/run/repair modes only on intended repositories with a clean git state or backup. Pass an explicit backend and avoid AI-backed run mode on confidential code unless that provider is approved for the data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises shell, file read, environment variable, repository modification, dependency installation, and AI-backend transmission behaviors, but the metadata does not declare corresponding permissions. This creates a trust and consent gap: a caller may invoke the skill without realizing it can read local files, access API keys, run commands, install packages, modify git repositories, and send repository contents to external services.

Vague Triggers

Low
Confidence
80% confidence
Finding
The invocation example 'Fix the findings' is overly broad for a skill that can repair repositories, install dependencies, commit changes, and use external AI backends. Without clear scope constraints, a generic user request could trigger invasive actions on an unintended path or repository, increasing the chance of unsafe modification or data exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently initializes a Git repository and creates an empty commit in any user-supplied project path. In an automation or agent context, this can unexpectedly modify directories, alter tooling behavior, and create durable state without an explicit warning or consent checkpoint.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script invokes the saturnday planning pipeline on a target repository without a strong safety disclosure, even though the tool is explicitly designed to generate and modify project artifacts. In agent-driven environments, this increases the chance of unintended repository writes or execution of high-impact workflows in the wrong directory.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The script auto-selects API backends based on the presence of sensitive credentials in environment variables, but it does not clearly disclose that behavior to the user. This can cause the tool to route prompts or repository content to a remote provider unexpectedly when keys are present in the environment.

Unvalidated Output Injection

High
Category
Output Handling
Content
"--format", scan_fmt,
    ]

    result = subprocess.run(
        cmd,
        capture_output=True,
        text=True,
Confidence
73% confidence
Finding
subprocess.run( cmd, capture_output

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.