Security audit

ia-rust-systems

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Rust guidance skill with one code-example caution, but no hidden execution, persistence, data collection, or destructive behavior.

Safe to install as a Rust guidance skill. Treat backend examples as patterns to review rather than production-ready code: use generic client messages for internal errors, configure CORS explicitly for authenticated services, and keep credentials in your own environment or secret manager rather than in skill files.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The example claims internal error details are never returned to clients, but the response body always uses self.to_string(), including for AppError::Sqlx and AppError::Other. That can leak database errors, stack-context messages, or other internal implementation details that help attackers enumerate schema, dependencies, or failure modes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal