Ai Dev Tools

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it mixes broad recommendation triggers, affiliate incentives, and a hard-coded non-HTTPS API in ways users should review before installing.

Install only if you are comfortable with affiliate-influenced recommendations and broad automatic activation. Prefer local command use over the documented remote HTTP API, avoid sending sensitive project or business details, and treat returned links as promotional unless the publisher adds clearer disclosure, safer parameter handling, HTTPS/privacy details, and narrower triggers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The function explicitly claims affiliate-link updates require administrator privileges, but no authentication, authorization, or capability check is implemented before modifying products.json. In an agent-skill context, this creates an integrity risk: any caller able to invoke the function could alter monetization destinations, redirect users to attacker-controlled links, or tamper with business data.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: A skill presented as a recommendation/affiliate lookup tool also contains hidden state-changing functionality that edits the backing product data. This expands the attack surface beyond user expectations and makes misuse easier, especially if an agent exposes all callable functions without strong policy separation.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The function claims affiliate-link updates require administrator permission, but no authentication, authorization, or capability check is performed before rewriting the local product database and marking the product active. In an agent-skill context, any caller able to invoke this function could change monetization targets, redirect users to attacker-controlled links, or activate previously inactive products.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill's apparent purpose is read-only recommendation and affiliate-link retrieval, but it also exposes a state-changing function that rewrites stored affiliate links and product status. This hidden write capability expands the trust boundary and can be abused to alter recommendations or inject malicious destinations without users expecting administrative side effects from the skill.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Administrative modification of affiliate links is not necessary for the core recommendation use case and therefore represents unnecessary privileged functionality. Unneeded mutation paths increase attack surface and make prompt- or tool-level misuse more damaging because an attacker can persist changes in local data rather than merely influencing one response.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly describes a skill whose purpose is to recommend SaaS products with affiliate links, but it does not mention any requirement to disclose to end users that recommendations are monetized. In an agent context, this creates a conflict-of-interest risk where users may receive biased recommendations without transparency, which can mislead users and violate platform, consumer-protection, or affiliate disclosure expectations.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger conditions are broad generic recommendation queries, so the skill may activate during ordinary conversation and steer users toward a curated vendor list without clear user intent to invoke this specific skill. This creates an integrity and safety issue because it can inject promotional or externally sourced recommendations into unrelated chats, increasing the chance of unwanted network calls or biased outputs.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list includes very broad terms such as '推荐', '工具', '编程', and '开发', which are common in ordinary conversations and can cause the skill to activate unintentionally. Because the skill executes local scripts with user-supplied parameters, accidental invocation increases the attack surface and can lead to unexpected command execution paths or undesired disclosure of tool recommendations/links.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code performs a persistent file write that changes affiliate links and product status with no user-facing confirmation, warning, or review step. In an agent environment, silent persistence makes accidental or induced tool misuse harder to detect and can leave long-lived malicious redirects in place.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal