Back to skill

Security audit

File Watcher

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local file-watching tool; its main risk is that snapshots can expose file names and metadata from directories the user chooses to scan.

Install this only if you want a local CLI that reads the files and directories you explicitly point it at. Avoid running snapshots over broad home, secrets, or work directories unless you are comfortable storing their filenames and metadata in JSON output, and run the CI verifier only against code you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def has_self_test(fp):
    r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)
    return r.returncode == 0 and "PASS" in r.stdout
Confidence
70% confidence
Finding
r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 7 deploy-ready
    ci = os.path.join(os.path.dirname(os.path.abspath(__file__)), "ci_check.py")
    if os.path.isfile(ci) and os.path.isfile(skill):
        r = subprocess.run([sys.executable, ci], cwd=folder, capture_output=True, text=True)
        all_ok &= axis(r.returncode == 0, "deploy-ready (ci/ci_check.py PASS)")
    else:
        all_ok &= axis(True, "deploy-ready (skipped)")
Confidence
70% confidence
Finding
r = subprocess.run([sys.executable, ci], cwd=folder, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
all_ok &= axis(False, "frontmatter (no SKILL.md)")
        all_ok &= axis(False, "docs (no SKILL.md)")
    # 3 compiles
    comp_ok = all(subprocess.run([sys.executable, "-m", "py_compile", fp],
                                capture_output=True).returncode == 0 for fp in files)
    all_ok &= axis(comp_ok, "compiles (py_compile all .py)")
    # 4 self-test (any of 3 valid forms)
Confidence
70% confidence
Finding
comp_ok = all(subprocess.run([sys.executable, "-m", "py_compile", fp], capture_output=True).returncode == 0 for fp in files)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
tests = [os.path.join(folder, f) for f in os.listdir(folder)
                 if (f.startswith("test_") or f.endswith("_test.py")) and f.endswith(".py")]
        if tests:
            st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True,
                                      timeout=30).returncode == 0 for t in tests)
            st_note = f"{len(tests)} test_*.py"
        elif re.search(r"(?im)^test\s*:", skill_txt):
Confidence
70% confidence
Finding
st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True, timeout=30).returncode == 0 for t in tests)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation presents this script as a verification harness performing checks like structure, docs, and security, which implies analysis-oriented behavior. In practice, the code runs each discovered Python file with a `self-test` argument and executes matching test files, causing code execution in the target skill rather than only verification or inspection.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The `once` command can save a snapshot containing file paths, timestamps, sizes, and hashes to a user-specified JSON file. Although the code prints a success message after writing, there is no prior user-facing warning in this file that the output may contain sensitive filesystem metadata.

Unvalidated Output Injection

High
Category
Output Handling
Content
def has_self_test(fp):
    r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)
    return r.returncode == 0 and "PASS" in r.stdout
Confidence
95% confidence
Finding
subprocess.run([sys.executable, fp, "self-test"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
all_ok &= axis(False, "frontmatter (no SKILL.md)")
        all_ok &= axis(False, "docs (no SKILL.md)")
    # 3 compiles
    comp_ok = all(subprocess.run([sys.executable, "-m", "py_compile", fp],
                                capture_output=True).returncode == 0 for fp in files)
    all_ok &= axis(comp_ok, "compiles (py_compile all .py)")
    # 4 self-test (any of 3 valid forms)
Confidence
95% confidence
Finding
subprocess.run([sys.executable, "-m", "py_compile", fp], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
tests = [os.path.join(folder, f) for f in os.listdir(folder)
                 if (f.startswith("test_") or f.endswith("_test.py")) and f.endswith(".py")]
        if tests:
            st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True,
                                      timeout=30).returncode == 0 for t in tests)
            st_note = f"{len(tests)} test_*.py"
        elif re.search(r"(?im)^test\s*:", skill_txt):
Confidence
95% confidence
Finding
subprocess.run([sys.executable, t], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
# 7 deploy-ready
    ci = os.path.join(os.path.dirname(os.path.abspath(__file__)), "ci_check.py")
    if os.path.isfile(ci) and os.path.isfile(skill):
        r = subprocess.run([sys.executable, ci], cwd=folder, capture_output=True, text=True)
        all_ok &= axis(r.returncode == 0, "deploy-ready (ci/ci_check.py PASS)")
    else:
        all_ok &= axis(True, "deploy-ready (skipped)")
Confidence
95% confidence
Finding
subprocess.run([sys.executable, ci], cwd=folder, capture_output

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.