Funky Fund Flamingo

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malware, but it needs review because it reads private agent history and memory into prompts and pushes file-changing self-evolution by default.

Install only if you intentionally want a meta-skill that reads local agent logs, memory, user profile files, and skill metadata to produce self-improvement prompts. Prefer --dry-run or --review, avoid feeding generated prompts to a cloud model unless the logs and memory are safe to disclose, keep secrets out of USER.md/MEMORY.md/session logs, and narrow or manually confirm activation before allowing file mutations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises optional environment-variable behavior and explicit Node.js execution modes, while the static analyzer indicates shell and environment capabilities are present without corresponding declared permissions. That creates a transparency and containment problem: operators may trust the manifest to understand risk, but the skill can access more powerful local capabilities than declared, increasing the chance of unintended command execution or access to sensitive local state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The SKILL.md presents the skill primarily as repair-first self-evolution, but the detected behavior set is materially broader: monetization analysis, archival/maintenance of session directories, evolution-history extraction, production gating, and local security scanning. This mismatch is dangerous because users may grant trust and run the skill under an incomplete understanding of what it actually does, especially since it reads sensitive logs/memory and pressures frequent mutations via 'must_evolve_each_cycle' and 'no_op_forbidden'.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill loads the workspace .env file into process memory even though its main purpose is log/memory analysis and prompt construction. This unnecessarily broadens access to secrets and increases the blast radius because any later prompt-building, logging, or downstream model interaction can accidentally expose environment-derived credentials.

Intent-Code Divergence

High

Confidence: 88% confidence
Finding: The header claims the module does not execute downstream tools directly, but the generated prompt explicitly instructs an upstream runner/agent to mutate files and use tools. This mismatch is dangerous because it conceals the skill's effective capability, undermining operator trust and making risky automation more likely to run without informed consent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly advertises scanning local session logs, memory, and persistent state, but it does not clearly disclose that these sources may contain sensitive prompts, credentials, personal data, or proprietary workflow history. For a self-modifying meta-skill, this omission is security-relevant because users may enable it without understanding the privacy and data-handling implications of broad local analysis.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly states that interaction history will be captured for analysis, billing, and optimization, but it does not mention user notice, consent, retention limits, or access controls. In a memory-aware, self-evolving agent, broad logging of conversations can expose sensitive user data to secondary uses and increase privacy, compliance, and insider-misuse risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The generated prompt embeds raw user registry and session transcript content, which may contain secrets, personal data, or sensitive operational context. Emitting this material into model input creates a direct disclosure channel to downstream LLM infrastructure and any logs or observers attached to that pipeline.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The self-driving loop is enabled by generic CLI flags and does not appear to constrain where or how those flags may be supplied. In a self-evolving skill with high authority over code, skills, memory, tooling, and workflow, ambiguous activation increases the chance of unintended autonomous behavior, causing unsupervised mutation cycles or repeated local actions when the flags are present in broader execution contexts.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes very generic terms such as "repair", "evolve", and "evolution", which are likely to overlap with many normal agent tasks and can cause unintended activation of this skill. In this skill's context, accidental invocation is more dangerous because it advertises self-evolution, log auditing, and mutation behavior, so a false trigger could launch autonomous modification or review workflows when the user did not intend that scope.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The guidance explicitly promotes 'instrumenting usage for billing or optimization' without any accompanying privacy, consent, data-minimization, retention, or access-control requirements. In a self-evolving agent skill that governs capability proposals and workflow changes, this can normalize adding telemetry that captures user activity or sensitive operational data beyond what is necessary, increasing privacy and compliance risk.

Ssd 3

High

Confidence: 98% confidence
Finding: The prompt explicitly instructs ingestion of USER.md and raw session transcript data and reproduces them verbatim in the model context. That creates a natural-language exfiltration channel: sensitive local data is transferred to another component for processing, where it may be retained, echoed, or leak through outputs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal