Back to skill

Security audit

Company Ops

Security checks across malware telemetry and agentic risk

Overview

The skill is openly an autonomous operations loop, but it can automatically modify and push repository contents with too little user control or containment.

Install only in a dedicated, least-privilege repository with no secrets or unrelated files, and do not run it unattended until automatic pushes are disabled or constrained by an allowlist, review step, and secret scanning. Treat the bundled CI verifier as code-executing test infrastructure and run it only in an isolated environment for untrusted submissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def has_self_test(fp):
    r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)
    return r.returncode == 0 and "PASS" in r.stdout
Confidence
97% confidence
Finding
r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
tests = [os.path.join(folder, f) for f in os.listdir(folder)
                 if (f.startswith("test_") or f.endswith("_test.py")) and f.endswith(".py")]
        if tests:
            st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True,
                                      timeout=30).returncode == 0 for t in tests)
            st_note = f"{len(tests)} test_*.py"
        elif re.search(r"(?im)^test\s*:", skill_txt):
Confidence
98% confidence
Finding
st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True, timeout=30).returncode == 0 for t in tests)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The function claims low-confidence actions will be deferred or escalated, but when CONFIDENCE is below PROCEED_THRESHOLD and above ESCALATE_THRESHOLD it only logs a message and still continues to perform work. In an autonomous agent that reads tasks and commits changes, this mismatch undermines a stated safety control and can lead to unintended or unsafe autonomous actions despite a supposed guardrail.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README markets a "24/7" autonomous company loop, self-improvement, task execution, and revenue tracking, but does not clearly warn users about the operational, financial, privacy, or system-action risks of deploying such automation. Even though the document mentions confidence gating and escalation, the overall framing encourages autonomous execution without sufficient safety boundaries, which can mislead users into running impactful automation with inadequate oversight.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly promotes a 24/7 autonomous, self-improving operating loop for a 'company' but provides no meaningful safety caveats about data access, external side effects, financial actions, or system integrity. In this context, framing continuous autonomous operation as a turnkey capability can encourage unsafe deployment of high-impact automation without human oversight or boundary controls.

Missing User Warnings

Low
Confidence
97% confidence
Finding
The installation instructions direct users to download executable code via curl from a remote GitHub raw URL without any integrity verification, pinning, checksum, or signature guidance. This increases supply-chain risk because users may run altered, replaced, or unexpected code while assuming the self-contained script is trustworthy.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically stages all local changes and pushes them to GitHub each tick, creating a data-exfiltration and integrity risk if sensitive files, secrets, or attacker-induced modifications exist in the working tree. In this autonomous context, the danger is higher because the agent also pulls tasking from the repository and may propagate unintended or malicious changes without human review.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.