Back to skill

Security audit

iflow-nb

Security checks across malware telemetry and agentic risk

Overview

This looks like a real iflow knowledge-base skill, but it needs review because it can persist, share, generate from, and delete remote notebook content with some broad or under-confirmed defaults.

Install only if you are comfortable sending selected files, URLs, notes, and generated outputs to iflow. Before deletes, batch deletes, shares, or generation from a large notebook, ask the agent to show the exact notebook and files and wait for your explicit approval. Avoid setting IFLOW_BASE_URL unless you fully trust that endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (16)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises delete, batch-manage, and share capabilities but does not instruct the agent or operator to require explicit confirmation before destructive or privacy-affecting actions. In an agent-skill context, this increases the chance that a natural-language request or ambiguous trigger causes unintended deletion, modification, or external sharing of notebook contents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example says the agent may automatically match or create a notebook and import a personal note, but it gives no privacy notice, destination preview, or consent requirement. Because the skill is broadly triggered by note-taking and saving intents, users may unknowingly store sensitive personal information in a remote knowledge base.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger rules are extremely broad and include common everyday requests such as note-taking, saving links, daily records, and even ambiguous content-generation prompts. Because the skill can read credentials, write files, invoke shell scripts, and transmit data externally, unintended invocation can cause silent data upload, knowledge-base creation, or sharing actions the user did not clearly request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The sharing flow creates a link that exposes a read-only snapshot of all files and generated outputs in the knowledge base, but the workflow does not require a strong upfront warning about the full disclosure scope. A user asking to 'share with a colleague' may not realize unrelated or sensitive documents in the same knowledge base will also be exposed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example workflow encourages uploading local PDFs and importing a third-party URL into a knowledge base, but it does not mention consent, data retention, access controls, or the privacy implications of sending potentially sensitive research materials to a backend service. This can lead users to unknowingly store copyrighted, personal, or confidential content in a shared or persistent system without understanding how the data will be processed or exposed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs transmitting user-pasted content to a remote knowledge base and persisting it there, but the user-facing response only says the content was saved and does not clearly disclose the storage and processing implications beforehand. This can cause users to unknowingly upload sensitive notes, meeting minutes, or personal data to an external service, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented workflow requires the agent to write user-provided content into a local temporary markdown file, but this local persistence is never disclosed to the user. Even if temporary, writing potentially sensitive content to disk can expose it to local compromise, backups, crash dumps, or improper cleanup, especially in shared or multi-tenant environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow automatically imports research results and source materials into a knowledge base and then triggers report generation, which causes persistent data changes without an explicit user confirmation step at the point of execution. This is dangerous because users asking for research may not realize the skill will store external content, create records, and incur downstream processing on their behalf, increasing privacy, compliance, and unwanted-data-retention risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documented default flow automatically imports third-party web search results into a knowledge base and then submits them for report generation, which can cause unintended data retention, ingestion of untrusted content, and downstream sharing or transformation without a clear user confirmation step. In a knowledge-management skill, this is especially risky because users may believe they are only searching, while the system persists external content and triggers additional processing by default.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly marks destructive deletion of a knowledge base and single files as requiring user confirmation, but the batch-delete operation is listed without the same safeguard. That omission can lead an agent to delete multiple files irreversibly based on an ambiguous or indirect user request, increasing the chance of accidental data loss.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The example for `batchDeleteCollectionContent` provides a ready-to-run destructive API call without first instructing the agent to obtain user confirmation. In practice, examples strongly influence agent behavior, so this can normalize unsafe execution of irreversible bulk deletions and cause unintended loss of stored materials.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The shareNotebook endpoint creates a share link for notebook contents, but the documentation does not warn that generating or distributing the link may expose private knowledge-base data to unintended recipients. In this skill context, the agent is explicitly encouraged to share knowledge bases for users, so missing privacy guidance increases the chance of accidental data disclosure through link creation or casual sharing.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill defines `files` as optional and explicitly states that omitting it causes generation to use all files in the knowledge base. In a knowledge-management context, that creates over-broad data processing by default and can cause unrelated or sensitive documents to be included in generated outputs without the user's informed selection.

Vague Triggers

High
Confidence
99% confidence
Finding
The instruction says that when the user does not specify files, the agent should 'not ask' and should directly use the entire knowledge base. This removes an important consent boundary and increases the chance of generating reports, PPTs, podcasts, or videos from unintended documents, potentially exposing private material in downstream outputs or shares.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation states that all files will be used by default when `files` is not provided, but it does not require notifying the user that broad collection-wide content will be processed. Lack of disclosure undermines user expectations and can lead to silent inclusion of sensitive data in generated artifacts.

Missing User Warnings

High
Confidence
99% confidence
Finding
The document explicitly directs the agent to process all files without warning or asking when the user has not named specific files. In this skill's context, that is especially risky because the generated outputs can be exported or shared, amplifying any accidental over-collection into a confidentiality breach.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.