Stellar Trails

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad workflow helper, but it also directs agents to start a persistent network-facing preview server and write task history files automatically, so users should review it before installing.

Install only if you want a strongly opinionated always-on workflow framework and are comfortable with automatic local logging plus a background preview server. Before use, consider disabling Step 1.5/dev.sh, binding any preview server to 127.0.0.1, making worklog and memory writes opt-in, and avoiding git pull or update actions unless explicitly requested.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (29)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The changelog describes a network-based self-update mechanism executed from within a skill whose declared role is only a task-processing framework. Even though later entries discuss making it safer, a skill that reaches out to the network to discover or fetch updates materially expands its authority and creates a supply-chain risk path from remote content into future execution.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: This documents automatic background launch of a local web server despite the skill being presented as a universal internal phase framework. Hidden side effects like spawning services increase attack surface, can enable persistence, and violate least surprise for users and agents deciding whether the skill is safe to load.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Background process management and HTTP serving are not justified by the stated purpose of a planning/phase-machine skill. Unrelated execution capabilities are risky because they provide a foothold for persistence and local service exposure without a clear business need tied to the skill's advertised function.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The version-freshness step performs outbound network access to GitHub during activation even though the skill is framed as an internal workflow aid. Any automatic network contact expands attack surface, leaks usage metadata, and is especially risky because the skill activates on every task.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The file claims the skill is 'pure markdown data' and requires no shell execution, then later instructs background execution of dev.sh. Internal contradictions like this are a red flag because they obscure real capabilities and can be used to smuggle execution past reviewers.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Auto-starting a background HTTP preview server is unrelated to a universal workflow framework and introduces process persistence and network exposure. Because activation is mandatory for every task, this causes unnecessary side effects even when the user only asked a question or requested non-web work.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Mandating persistent worklog reads and writes broadens the skill from internal reasoning into stateful filesystem modification. Persisting task context to disk can leak sensitive prompts, codebase details, or user data across sessions without clear consent.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill requires git synchronization operations as part of normal workflow, which is outside the narrow role implied by its description. Automatic fetch/pull behavior can change repository state, contact remotes, and interfere with user-controlled development flow.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script implements a long-running HTTP server with automatic crash-restart behavior, which materially expands the skill's capabilities beyond an internal phase/traceability framework. This creates an always-on service surface that can expose files from the configured directory and increases attack surface without clear justification from the skill metadata.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The comments state 'No network,' but the code starts a server bound to 0.0.0.0, which listens on the network and serves directory contents. This mismatch is dangerous because it conceals externally reachable behavior from reviewers and users, undermining informed consent and making accidental exposure more likely.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The Git section first says to stop and ask the user before resolving divergence, but later instructs the agent to run `git pull` during stale-data analysis. That contradiction can cause autonomous repository-altering actions in exactly the situation where the procedure earlier required explicit user approval, increasing the chance of unintended merges or state changes.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to read and later rely on persistent local files such as `/home/z/my-project/worklog.md` and `memory/MEMORY.md` as part of routine task handling. For a broadly auto-activating framework, this creates unnecessary cross-task data retention and can leak prior task details into unrelated sessions, especially because the persistence is framed as a default operational requirement rather than an opt-in feature.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The procedure requires external research and official-documentation lookup for tasks even though this skill is presented as an internal orchestration framework that activates on virtually every request. That broad mandate can cause unintended network access, unnecessary disclosure of user intent to external services, and expansion of the skill's effective authority beyond what users expect for an internal phase wrapper.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The document instructs the skill to manage and persist a local HTTP server, including auto-restart and automatic relaunch on invocation, even though the skill is described as a generic phase-machine framework rather than a web-serving tool. This expands the skill's runtime behavior beyond user-visible need, creates hidden background services, and increases attack surface through persistent network exposure and process management.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README provides one-line installation commands that download remote content and perform multiple filesystem writes without prominently warning users what directories will be modified or that they are trusting the latest release artifact. In an agent-skill context, terse copy-paste install chains increase the chance of users or automated systems making persistent changes without adequate review.

Vague Triggers

High

Confidence: 94% confidence
Finding: The activation scope is intentionally universal and applies to nearly any user request. Overbroad invocation is dangerous because it maximizes the number of contexts in which side-effecting behavior like shell commands, network access, and file writes will be introduced.

Vague Triggers

High

Confidence: 95% confidence
Finding: Requiring this framework before any task output gives it priority over safer, task-specific handling and effectively forces hidden pre-processing on all requests. Combined with the embedded shell/network/file behaviors, this creates systemic exposure rather than isolated risk.

Vague Triggers

High

Confidence: 95% confidence
Finding: Stating that the framework activates for every task without exception ensures its side effects can occur in contexts where they are unnecessary and unexpected. The danger is amplified by the mismatch between claimed internal workflow purpose and actual operational behaviors.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs appending snapshots to a local worklog without any user-facing warning or consent. Silent local file modification is risky because it persists potentially sensitive information and violates least surprise.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Mandating worklog appends 'in all cases' normalizes silent persistence regardless of task sensitivity. A universal skill with automatic disk writes creates cross-task data retention risk and can leave artifacts users never requested.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Binding the HTTP server to 0.0.0.0 exposes it on all available interfaces rather than only the local machine. Because the server uses SimpleHTTPRequestHandler to serve files from the target directory and provides no authentication or user-facing warning, other reachable hosts may access those contents if network isolation is absent or misconfigured.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs automatic persistence of session digests without requiring an explicit user-facing notice or consent at write time. In an always-on skill, this creates a meaningful risk of silently modifying the filesystem and retaining user/task content beyond the current interaction.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Automatic incident logging persists error details without explicit approval, which can silently store prompts, paths, stack traces, or sensitive operational context. Because the data is retained in plain markdown, the write is both durable and easy to overlook.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Allowing the skill to create the `memory/` directory and files on first write means it can make persistent filesystem changes without a clear user warning. Even though the scope is limited to `memory/`, silent creation still changes the workspace and may surprise users or violate expectations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The procedure instructs reading `/home/z/my-project/dev.log` directly without warning that logs may contain secrets, tokens, personal data, stack traces, or customer content. In an always-on skill, this normalizes unrestricted inspection of potentially sensitive files and can lead to unnecessary data exposure to the agent and downstream outputs.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal