Back to skill

Security audit

e2e-delivery

Security checks across malware telemetry and agentic risk

Overview

This skill is a powerful end-to-end delivery automation tool, but it can change your local environment and external project records automatically without enough confirmation gates.

Review carefully before installing. Use it only in a controlled work environment where you are comfortable with it installing or upgrading CLIs/skills, creating PingCode subtasks, pushing code, creating and merging MRs, triggering CI, writing local session/report files, and syncing reports to REDoc. Prefer adding explicit approval gates for installs, external work item creation, live endpoint calls, merges, and any external report upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill explicitly performs local file reads and writes for session state and report generation, but it does not declare corresponding permissions or provide a clear capability boundary. This creates a trust and containment problem: users may invoke the skill expecting orchestration only, while it can mutate local state and persist workflow data on disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose is an end-to-end delivery workflow, but the skill behavior also includes generic session mutation, arbitrary local state tracking, and logging of request/response payloads. That mismatch is dangerous because it hides broader data handling and file modification capabilities from the user, increasing the chance of unintended persistence of sensitive project, test, or workflow information.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The flow explicitly instructs the agent to auto-create a PingCode server-side subtask and says '不需要征求用户同意', which authorizes an external state-changing action beyond passive analysis. In an end-to-end delivery skill this may be operationally convenient, but it still creates project artifacts without explicit user approval, which can surprise users, alter audit trails, and be abused to create or associate unintended work items.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill directs the agent to call newly deployed interfaces for functional verification and to record request/response details. This grants the workflow an active capability to interact with live deployed services, which can trigger side effects, touch sensitive environments, or expose data if the endpoint choice or request contents are unsafe.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill states that it will proactively install or upgrade CLIs and other skills and also writes local session/report files, but it does not surface these side effects as an explicit warning in the main description. Automatic installation and silent local writes can change the user environment, introduce supply-chain risk, and persist sensitive workflow data without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs writing a configuration file directly into the user's home directory without explicit consent, validation of the provided value, or explanation of persistence and side effects. In an agentic workflow, this creates a lasting local state change that could misroute later report uploads or overwrite expected configuration unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to proactively run global npm install and upgrade commands from an internal HTTP registry, causing system-wide changes and network access without a clear warning or approval gate. This is dangerous because it can alter the execution environment, introduce untrusted package updates, and, due to use of plain HTTP, exposes the install path to tampering or man-in-the-middle attacks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This line explicitly states that automatic subtask creation should occur without user warning or consent. Removing the approval gate for an external write action increases the risk of unauthorized workflow changes, accidental ticket sprawl, and hidden state changes that the user may not expect the agent to perform.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template explicitly instructs the agent to persist a detailed end-to-end delivery report both to a local filesystem path and to an external REDoc location, but it provides no consent gate, data-classification check, or warning that the content may include sensitive work item metadata, repository details, MR links, test submission IDs, and raw events JSON. In this skill context, the risk is elevated because the report aggregates operational and potentially proprietary engineering data, and the appendix includes a full event log that may capture secrets, tokens, internal URLs, or other sensitive workflow artifacts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document instructs the agent to automatically create a server-side subtask and proceed without warning or user confirmation when a work item is of type `task`. This is a real workflow-integrity issue because it authorizes mutation of project state and ownership metadata (`workspace/owner/business_line`) without explicit user consent, which can create unintended records, misassignment, or policy violations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.