Cn Dev Setup

Security checks across malware telemetry and agentic risk

Overview

The skill is not deceptive, but it can persistently redirect developer tool package sources and weaken dependency trust settings, so it belongs in Review.

Install only if you intentionally want persistent mirror and registry changes for your development tools. Run status first, configure only named tools rather than --all, review any Docker daemon edits before using sudo, and avoid global pip trusted-host or Go GONOSUMDB=* unless you understand the trust tradeoff.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill instructs running a script that can read and write user configuration files and invoke shell commands, but it does not declare those capabilities up front. That creates a transparency and consent problem: users or orchestration systems may treat it as low-risk documentation while it actually modifies local or system package-manager settings.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The documented behavior does not accurately match what the skill actually does or claims to do, including undocumented reset/status functionality and overstated support for Maven, Gradle, Homebrew, and Docker automation. This mismatch can mislead users into executing commands that alter their environment under false assumptions, reducing informed consent and making unsafe or unexpected changes more likely.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The activation text uses broad trigger phrases such as general development-environment or proxy setup requests, which can cause the skill to be invoked in contexts where the user did not specifically ask to modify registry or proxy settings. That increases the chance of unintended execution of environment-changing actions across multiple tools.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The quick-start encourages one-click configuration of many toolchains without prominently warning that it will modify persistent user and possibly system configuration files such as package-manager configs and Docker settings. In this context, the skill is designed to change trusted software supply endpoints, so silent or insufficiently explained bulk modification increases operational and supply-chain risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The pip guidance makes persistent trust and package-source changes by setting a global index URL and adding a trusted host, which alters how packages are fetched across environments. This is risky because it can weaken normal trust assumptions, obscure supply-chain provenance, and affect future installs beyond the immediate task without clearly warning the user about the security and persistence implications.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The Docker section instructs users to modify the system daemon configuration under /etc/docker and restart the Docker service, which is a privileged system-wide change. This can affect all container pulls on the machine, break existing setups, or redirect image traffic through third-party infrastructure without sufficient warning about persistence, scope, and trust implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal