Back to skill

Security audit

Free Scaling

Security checks across malware telemetry and agentic risk

Overview

This skill largely does what it claims, but it can reuse local OpenClaw/GitHub credentials for Copilot and stores inference history, so users should review it carefully before installing.

Install only if you are comfortable sending prompts and context to NVIDIA NIM and possibly GitHub Copilot, and only if local GitHub/OpenClaw credential reuse is acceptable in your environment. Avoid secrets or regulated data unless you have reviewed provider policies and local cache files, and consider isolating or clearing ~/.cache/free-scaling and Copilot token files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The Copilot support code searches local auth-profile files for GitHub OAuth tokens, uses them to mint fresh session tokens, and stores the refreshed token locally. That is a powerful credential-access and token-exchange capability that goes beyond a simple voting engine and can surprise users by repurposing unrelated local credentials without explicit consent.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The module advertises itself as a core voting engine, but the implementation also reads local credential files, searches agent profile directories for GitHub tokens, writes refreshed session tokens, and contacts GitHub/Copilot endpoints. This mismatch increases the chance that operators enable the skill without understanding its credential-handling and data-transmission behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that every scale() call automatically logs votes to an ELO tracker and incorporates user feedback and A/B signals, but it does not clearly warn users what data is stored, where it is stored, and whether prompts, outputs, identifiers, or reaction metadata may be persisted. In an agent skill used on emails, code, moderation content, or other sensitive inputs, implicit telemetry or local logging can create privacy, compliance, and data-governance risks because operators may unknowingly process sensitive content under the assumption that the tool is stateless.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that every scale() call logs deployment data and runs a shadow challenger, which means user prompts and context may be sent to more models or services than the user expects. Without a clear disclosure and consent mechanism, sensitive data could be replicated across additional providers, increasing exposure and retention risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic routing through the GitHub Copilot API changes the data recipient and trust boundary, but the documentation does not warn users that prompts/context may be shared with another external service. In a skill designed to process arbitrary user context, this omission can lead to unintentional disclosure of proprietary or sensitive information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function sends user-supplied question and optional system/context material to external model backends via call_model() with no disclosure, minimization, or consent mechanism visible in this file. In a skill that explicitly supports routing across many providers and fallback models, this expands the data exposure surface and can leak sensitive prompts or embedded context to third-party services unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists question text, final answer, and vote data through feedback logging without any indication of notice, consent, retention policy, or sanitization. Because this skill is designed for broad inference workloads, logged prompts may contain proprietary code, internal documents, or personal data, creating unnecessary retention and secondary-use risk if storage is later accessed or mishandled.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The module persistently stores user questions, answers, message IDs, and arbitrary metadata in a local JSON file under the user's home directory, but there is no user-facing notice, consent flow, retention control beyond a fixed FIFO cap, or minimization of sensitive fields. In this skill context, feedback may include Discord-linked identifiers, email subjects, and other operational content, so local persistence can expose sensitive data to other local users, backups, endpoint tooling, or later compromise of the host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function forwards user-supplied question/context directly to external model providers via call_model(), which can expose sensitive or regulated data to third parties if callers pass private content. In an ensemble design this risk is amplified because the same input may be transmitted to multiple providers, increasing disclosure surface and retention risk even if the code's purpose is legitimate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The judging phase resends the original question plus generated outputs to additional external models, creating a second disclosure path that may leak sensitive user data and model-produced sensitive inferences. Because outputs can contain transformed or summarized secrets from the context, sending them again to separate judges broadens exposure beyond the initial generation round.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code enumerates local auth-profile files, extracts any token matching the GitHub user-token prefix, and transmits it to GitHub to obtain a Copilot session token, all without any visible disclosure or prompt in this file. Even if sent only to GitHub, harvesting credentials from unrelated local files creates an unnecessary privacy and security boundary crossing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This audit preset collects system state, converts it into questions, and sends those question texts to external backends (`scale()` and optionally `call_copilot`) without any explicit consent gate, redaction step, or user-facing notice at the moment data leaves the local environment. Because the questions are derived from system audit data, they may contain sensitive host, configuration, security, or operational details that are unnecessarily exposed to third-party model services.

Ssd 3

Medium
Confidence
96% confidence
Finding
Automatic logging of user interactions, votes, feedback, and deployment outcomes creates a data retention surface for potentially sensitive natural-language content. In this skill’s context—where users may submit code, emails, papers, or source/output comparisons—retained logs can contain secrets, proprietary content, or personal data and become a leak target.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
nim_ensemble/benchmark.py:143

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
nim_ensemble/cascade.py:55

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_core.py:221