Back to skill

Security audit

QA QuickCheck

Security checks across malware telemetry and agentic risk

Overview

This QA testing skill is mostly purpose-aligned, but it includes ungated code execution from test templates and active project/network testing that are not tightly scoped or clearly controlled.

Install only if you intend to run it in an isolated test environment. Do not run Standard mode or the helper scripts against production services, do not use untrusted template/config files, avoid the $custom data-factory feature, and review any generated HTTP test config or post URL before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill declares no permissions, yet its documented behavior implies access to environment capabilities and execution of scripts that may rely on local environment data. This creates an authorization and transparency gap: users and hosting platforms cannot accurately assess what capabilities are needed before the skill runs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a routine QA helper, but the described behavior extends to writing local files, sending bulk HTTP/HTTPS test traffic, tracking created resources, and performing security-relevant scans such as CORS, Cookie, and debug endpoint checks. This mismatch can cause users to invoke the skill without understanding that it may modify local state or actively interact with external services, increasing the risk of unintended actions against sensitive environments.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This static-audit skill section instructs the agent to infer project startup commands and handle startup failures/alternate ports, which expands behavior from passive code review into active execution. In a security-analysis context, that can cause an agent to run untrusted project code, including install hooks, dev servers, or attacker-controlled startup scripts, increasing risk of code execution and environmental exposure.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file explicitly claims the workflow only depends on source, config, and command-line audit tools and does not require the project to run, yet later directs startup attempts and port fallback behavior. This contradiction is dangerous because operators may trust the static-only safety boundary and unknowingly execute untrusted applications, undermining the stated threat model.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documented $custom:JS代码 capability allows template authors to inject and execute arbitrary JavaScript, and the implementation later uses new Function to run it. In a QA helper, template files are input data and may come from repos, PRs, or teammates, so this turns untrusted test data into code execution on the operator's machine or CI runner.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The script can POST generated records to any user-supplied HTTP(S) endpoint, which creates an outbound data-transfer primitive. In a test utility this may be intended, but when combined with generated or template-derived content it can be abused for SSRF-like access to internal services or for sending sensitive data from CI or developer environments to attacker-controlled endpoints.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises dynamic testing and automatic project startup, but it does not clearly warn users that the skill will launch and exercise the target application. In a testing skill, this can trigger unintended code execution, network access, state changes, or interaction with real services if users assume the tool is purely passive or read-only.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger keywords include broad everyday phrases such as '测试', '代码审查', and '静态扫描', which can cause accidental activation in normal conversations. In this skill's context, mis-triggering is more dangerous because Standard mode may read multiple references, run scripts, perform dynamic tests, and generate output files.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states it will generate `test-report.md` in the project root, which is a write action, but the user warning is insufficiently prominent and conflicts with the broader '只读不写' claim elsewhere in the document. This can lead to unauthorized filesystem changes, confusion about trust boundaries, and accidental inclusion of generated artifacts in commits or CI workflows.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The instruction to record operating system, runtime versions, and key dependency versions as an environment snapshot can cause unnecessary collection and disclosure of host details. While useful for debugging, such data may reveal internal infrastructure characteristics or sensitive local environment metadata if included in reports or shared externally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file instructs an agent to perform active security testing such as unauthorized-access checks and injection probes, but the warning model is incomplete because it lacks a strong user-facing consent/risk gate immediately before execution. Although it limits execution to test environments, the skill still contains concrete offensive procedures that could be misapplied against non-test targets or run with mistaken environment classification, causing service disruption, data exposure, or policy/legal violations.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises custom JS execution in template syntax without meaningful safety disclosure, even though this grants code execution through what appears to be a data file. That mismatch increases the likelihood that users will treat templates as harmless fixtures and unknowingly run attacker-supplied code.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code constructs a function from template input via new Function("random", "index", `return ${customMatch[1]}`) and executes it with no confirmation, sandboxing, or trust boundary. This is direct arbitrary code execution from untrusted input, enabling command execution, file access, credential theft, or CI compromise depending on runtime privileges.

Credential Access

High
Category
Privilege Escalation
Content
| 技术栈 | 依赖文件 | Lock 文件 | 配置文件 |
|:---|:---|:---|:---|
| Node.js | `package.json` | `package-lock.json` / `yarn.lock` / `pnpm-lock.yaml` | `.npmrc` |
| Python | `requirements.txt` / `pyproject.toml` | `poetry.lock` / `Pipfile.lock` | `pip.conf` |
| Java/Maven | `pom.xml` | 无(依赖在本地仓库) | `.m2/settings.xml` |
| Java/Gradle | `build.gradle` | `gradle.lockfile` | `gradle.properties` |
Confidence
21% confidence
Finding
.npmrc

Credential Access

High
Category
Privilege Escalation
Content
- SQL 注入:`' OR '1'='1`、`'; DROP TABLE users; --`
- NoSQL 注入:`{"$gt": ""}`、`{"$ne": null}`
- XSS 探测:`<script>alert(1)</script>`、`<img src=x onerror=alert(1)>`
- 命令注入:`; ls`、`| cat /etc/passwd`
- 模板注入:`${{7*7}}`、`{{constructor.constructor('return this')()}}`

**重要**:每个 Payload 发送后,记录响应状态码和响应体截断。重点是观察是否有异常响应(如返回了不应该返回的数据、SQL 错误信息等)。
Confidence
88% confidence
Finding
/etc/passwd

Credential Access

High
Category
Privilege Escalation
Content
const rawConfig = JSON.parse(fs.readFileSync(configFile, "utf-8"));
let config = { ...rawConfig };

if (envName && rawConfig.env && rawConfig.env[envName]) {
  config = { ...rawConfig, ...rawConfig.env[envName] };
  console.log(`使用环境配置: ${envName}`);
}
Confidence
60% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"/api-docs",
    "/actuator",
    "/graphql",
    "/.env",
    "/phpinfo",
    "/console",
    "/metrics",
Confidence
60% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
"/api-docs",
    "/actuator",
    "/graphql",
    "/.env",
    "/phpinfo.php",
    "/console",
    "/metrics",
Confidence
60% confidence
Finding
.env"

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/data-factory.js:198