Security audit

Product Design Workflow

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it handles server credentials and report destinations in ways that need human review before use.

Review before installing. Use only a restricted server account, prefer SSH keys over passwords, remove or parameterize the hard-coded group ID, confirm every upload/report destination, and avoid running the upload script until credential logging and shell command construction are fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """执行命令""" print(f"执行: {cmd}") try: result = subprocess.run(cmd, shell=True, capture_output=True, text=True) if result.returncode != 0: print(f"错误: {result.stderr}") return result.returncode == 0
Confidence: 98% confidence
Finding: result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill requires reading local reference files and executing shell commands (`python scripts/...`), including a script that uploads artifacts to a remote server, yet no explicit permissions are declared. This creates a transparency and containment gap: an agent may perform filesystem access and command execution beyond what a user expects, especially when combined with credential-driven deployment steps.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The template hard-codes a specific leader group ID instead of using the user-supplied `target-group-id`, which can cause sensitive operational updates, URLs, and exception details to be sent to an unintended fixed recipient. In this skill's context, the workflow automatically generates and uploads demos daily, so misrouting reports creates a persistent data leakage channel and can disclose internal project activity without user consent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs uploading generated demos to a server and sending step-by-step reports to a group, but it does not present a clear user-facing warning that these actions can modify remote systems and disclose generated content externally. In a workflow that automates publication and messaging, lack of explicit impact disclosure increases the risk of unintended data exposure or unauthorized deployment.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill asks the user to provide `server-pass` directly and documents credential collection without any warning or safer handling guidance. Collecting plaintext server passwords inside a skill significantly raises the risk of accidental disclosure, logging exposure, reuse abuse, and compromise of the target host.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The password is accepted as a command-line argument and then interpolated into command strings, which can expose it via shell history, process listings, logs, and error output. In this workflow, the skill asks users to provide real server credentials, so credential leakage would directly compromise the deployment target.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.