Back to skill

Security audit

huawei-cloud-msmodelslim-model-analysis

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent msModelSlim model-analysis guide, but it includes unsafe, under-warned guidance to execute model-supplied remote code.

Install only if you are comfortable reviewing model artifacts carefully. Do not use trust_remote_code=True on arbitrary or newly downloaded models unless the repository is trusted and pinned, and prefer inspecting config.json and modeling files as text in an isolated environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as analysis-focused, but it instructs the agent to fetch files from a remote ModelScope repository. Expanding a local/offline analysis workflow into network retrieval increases the attack surface, can pull untrusted repository content into the session, and may violate user expectations about what data the skill accesses.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The documentation introduces an automated compatibility checker, migration blocker detection, and operator coverage scoring that go beyond the stated model-analysis scope. Scope expansion is risky because it can justify broader code inspection or inference-like behavior that users did not request, creating opportunities for overreach and unsafe tool use.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Introducing remote ModelScope download capability is dangerous because it brings external, potentially adversarial content into an otherwise local analysis workflow without a clearly necessary justification. Even if only non-weight files are requested, repository metadata and Python modeling files can still be hostile inputs that influence later analysis or downstream handling.

Vague Triggers

Medium
Confidence
75% confidence
Finding
Overly broad trigger terms can cause the skill to activate for generic requests such as 'model analysis' or 'feasibility,' leading to inappropriate invocation outside its intended niche. Misrouting is less severe than direct code execution, but it can still cause unnecessary file access, misleading guidance, or accidental expansion into unrelated workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly instructs users to load a model with trust_remote_code=True, which permits execution of model-supplied Python code during loading. In a model-analysis skill, users are likely to inspect arbitrary third-party models, so omitting a warning or safer workflow materially increases the chance they execute untrusted code on their workstation or analysis environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.