Back to skill

Security audit

Secret Scanner

Security checks across malware telemetry and agentic risk

Overview

The main secret scanner is coherent, but the package also includes an under-disclosed CI verifier that can execute Python files from target folders.

Install only if you intend to use the documented secret_scanner.py workflow. Do not run ci/verify_product.py on untrusted projects or repositories with secrets unless it is isolated in a disposable sandbox with no network access and no sensitive environment variables.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def has_self_test(fp):
    r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)
    return r.returncode == 0 and "PASS" in r.stdout
Confidence
98% confidence
Finding
r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
tests = [os.path.join(folder, f) for f in os.listdir(folder)
                 if (f.startswith("test_") or f.endswith("_test.py")) and f.endswith(".py")]
        if tests:
            st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True,
                                      timeout=30).returncode == 0 for t in tests)
            st_note = f"{len(tests)} test_*.py"
        elif re.search(r"(?im)^test\s*:", skill_txt):
Confidence
98% confidence
Finding
st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True, timeout=30).returncode == 0 for t in tests)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises executable workflows and usage that imply shell execution and file access, yet no permissions are declared. This creates a transparency and policy-enforcement gap: an agent or reviewer may treat the skill as lower risk than it really is, while the skill can still invoke local commands and access repository contents during scans or self-tests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The described purpose is a secret scanner, but the observed behavior extends into generic package validation, subprocess execution, compilation, and self-test/deploy checks unrelated to merely detecting secrets. That mismatch is dangerous because it can mask broader execution and inspection behavior under a narrowly scoped security-tool label, increasing the chance that users grant trust or run it in sensitive repositories without understanding the real attack surface.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The finding correctly identifies that the verification harness executes arbitrary Python files as part of self-test discovery. In the context of a secret-scanning skill, this is more dangerous because operators may feed it untrusted repositories expecting passive analysis, but instead the harness actively runs repository code.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Although compilation itself is relatively safe, this block also discovers and executes test files from the target directory, which is unrelated to the advertised secret-scanning purpose. The mismatch in expected behavior increases risk because users may trust the tool with untrusted code under the assumption it only scans text, not executes it.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file is a general product verification harness rather than functionality for detecting secrets as described in the skill metadata. That scope mismatch is dangerous because it hides additional behavior—especially code execution of repository files—behind a benign secret-scanning label, increasing the chance that operators run it on untrusted content.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.