huditest

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its skill-building purpose, but it needs review because it can use the local Claude session, send skill/eval content to Claude, and automatically terminate processes on its viewer port.

Install only if you are comfortable with a skill that runs local Python helpers, starts review servers, edits/packages skills, and uses your Claude CLI session for evaluations. Before running the viewer, check whether port 3117 is in use; before running description optimization, review eval data and skill contents for secrets or proprietary information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The helper kills any process listening on the chosen port, regardless of ownership or whether it is related to this tool. In a local development environment, this can terminate unrelated services or security-sensitive applications, causing denial of service or data loss.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The page loads external resources from Google Fonts and SheetJS CDN, which creates a supply-chain and privacy risk because opening the local viewer causes network requests to third parties. If those resources are changed upstream, blocked, or monitored, the eval viewer can leak usage metadata or execute attacker-controlled JavaScript in the review context.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The guidance explicitly recommends making skill descriptions more 'pushy' so they trigger even when the user does not ask for the skill directly. That can cause over-triggering and context collision, where a powerful skill that can execute commands, modify files, and run evaluations is invoked for ordinary adjacent requests, expanding attack surface and increasing the chance of unintended actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The instruction to write results to `{outputs_dir}/../grading.json` performs file creation/overwrite outside the explicitly provided output directory, which can clobber adjacent files if `outputs_dir` is attacker-controlled or unexpectedly resolved. In an agent setting, even a seemingly routine sibling-path write expands the write scope and creates a path traversal/unauthorized overwrite risk unless the destination is validated and users are made aware of the side effect.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The main flow unconditionally calls the port-killing routine before starting the server, with no explicit consent at the moment the destructive action occurs. Because this script is part of a skill-creation/evaluation workflow, users may run it on shared workstations where unexpectedly terminating another local service is especially disruptive.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code embeds full skill content, eval failures, prior attempts, and possibly test data into a prompt and sends it to an external model process without any explicit consent gate, redaction step, or visibility to the end user at the call site. If SKILL.md, history, or eval data contain proprietary prompts, secrets, internal examples, or sensitive customer data, this causes unintended data disclosure outside the local process boundary.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal