Back to skill

Security audit

Product Design Workflow

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it handles server credentials and report destinations in ways that need human review before use.

Review before installing. Use only a restricted server account, prefer SSH keys over passwords, remove or parameterize the hard-coded group ID, confirm every upload/report destination, and avoid running the upload script until credential logging and shell command construction are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""执行命令"""
    print(f"执行: {cmd}")
    try:
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
        if result.returncode != 0:
            print(f"错误: {result.stderr}")
        return result.returncode == 0
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill requires reading local reference files and executing shell commands (`python scripts/...`), including a script that uploads artifacts to a remote server, yet no explicit permissions are declared. This creates a transparency and containment gap: an agent may perform filesystem access and command execution beyond what a user expects, especially when combined with credential-driven deployment steps.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The template hard-codes a specific leader group ID instead of using the user-supplied `target-group-id`, which can cause sensitive operational updates, URLs, and exception details to be sent to an unintended fixed recipient. In this skill's context, the workflow automatically generates and uploads demos daily, so misrouting reports creates a persistent data leakage channel and can disclose internal project activity without user consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs uploading generated demos to a server and sending step-by-step reports to a group, but it does not present a clear user-facing warning that these actions can modify remote systems and disclose generated content externally. In a workflow that automates publication and messaging, lack of explicit impact disclosure increases the risk of unintended data exposure or unauthorized deployment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill asks the user to provide `server-pass` directly and documents credential collection without any warning or safer handling guidance. Collecting plaintext server passwords inside a skill significantly raises the risk of accidental disclosure, logging exposure, reuse abuse, and compromise of the target host.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The password is accepted as a command-line argument and then interpolated into command strings, which can expose it via shell history, process listings, logs, and error output. In this workflow, the skill asks users to provide real server credentials, so credential leakage would directly compromise the deployment target.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.