Back to skill

Security audit

Json Tools

Security checks across malware telemetry and agentic risk

Overview

The JSON tool itself is straightforward, but the package also includes an under-documented CI verifier that can run Python files from target folders, so it warrants Review before installation.

Install only if you trust the publisher and intend to use the JSON CLI. Avoid running ci/verify_product.py on untrusted folders or in environments with secrets unless it is sandboxed; the core json_tools.py appears consistent with the advertised local JSON operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def has_self_test(fp):
    r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)
    return r.returncode == 0 and "PASS" in r.stdout
Confidence
97% confidence
Finding
r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
tests = [os.path.join(folder, f) for f in os.listdir(folder)
                 if (f.startswith("test_") or f.endswith("_test.py")) and f.endswith(".py")]
        if tests:
            st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True,
                                      timeout=30).returncode == 0 for t in tests)
            st_note = f"{len(tests)} test_*.py"
        elif re.search(r"(?im)^test\s*:", skill_txt):
Confidence
98% confidence
Finding
st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True, timeout=30).returncode == 0 for t in tests)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises executable CLI usage that reads and writes local files and invokes Python from the shell, yet the metadata shown does not declare corresponding permissions. Undeclared capabilities create a trust and review gap: an agent or user may authorize the skill under false assumptions, then allow file-system or command execution behaviors that were not transparently disclosed.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented purpose focuses on JSON utilities, but the described/observed behavior extends into self-tests, package verification, Python compilation checks, subprocess execution, and secret scanning. This mismatch is dangerous because it broadens the operational scope beyond user expectations, increasing the chance that an agent runs repository-wide inspection or command execution workflows with access to sensitive files or environments.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This verification harness introduces a dangerous capability—executing arbitrary Python from the product under review—that is not required for a JSON manipulation skill. The mismatch between declared skill purpose and actual behavior increases risk because users and reviewers may not expect CI-time code execution from this component.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code enumerates test scripts in the product folder and executes them despite the advertised skill being JSON tooling. This unjustified execution surface enables malicious products to trigger code execution during routine validation, making supply-chain compromise of CI runners plausible.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The file's behavior is a portfolio/product verification harness rather than JSON tooling, indicating significant scope drift from the declared skill purpose. That mismatch is not a memory-safety flaw by itself, but it is security-relevant because hidden or unexpected capabilities reduce reviewer trust and can conceal dangerous execution paths elsewhere in the skill.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.