Back to skill

Security audit

Skill Forge

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent as a skill-building meta-tool, but it bundles default-on telemetry, cloud upload, local profiling, broad local scanning, and publishing workflows that deserve careful review before installation.

Install only if you are comfortable with a meta-skill that can guide agents to scan local skills, maintain usage history, use cloud endpoints, read local creator credentials for proposal approval/publishing, and publish skills through local CLIs. Before using it, disable logging/upload if unwanted, avoid --semantic unless you accept sending skill metadata to an embedding provider, and require explicit confirmation before merge, proposal-apply, or publish actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents capabilities spanning file access, shell execution, environment/credential access, and network operations, but does not declare permissions or sharply constrain when those capabilities may be used. In a meta-skill that can forge, modify, publish, and republish other skills, this creates a broad and under-signaled authority surface that can lead to unintended local changes or external actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose presents the skill as a methodology/review meta-skill, but the body includes concrete release automation, remote proposal management, credential use, and local config mutation. This mismatch is dangerous because users may invoke the skill expecting advisory behavior while it is also authorized to perform operational actions against local files and remote services.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
A skill advertised as quality discipline and methodology should not silently bundle deployment behavior in the same trust boundary. Combining advisory/review functions with release execution increases the chance that benign audit requests escalate into authenticated external publication or remote workflow actions.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The NON-mandate says the skill does not publish automatically and points elsewhere, but later sections state that it ships and invokes its own bundled publisher. Contradictory safety boundaries are dangerous because they obscure the true action surface and can cause users to consent under a false understanding of what the skill may do.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The document explicitly instructs the skill to use an external memory file for cross-session user profiling, but the stated purpose of the skill is forging and reviewing other skills rather than maintaining persistent user dossiers. That creates unnecessary data collection scope and increases privacy risk because personal traits and behavior patterns may be retained beyond what is needed for the skill's core function.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script claims its scan scope is locked to ~/.workbuddy/skills, but it actually permits overriding the target directory through the SKILLS_DIR environment variable. In an agent context, this weakens operator trust and can expose arbitrary local directories to scanning and report generation, especially if another component controls the environment.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The code advertises zero side effects, but --out allows writing a report to an arbitrary filesystem path. That mismatch can mislead users and higher-level agents into granting broader trust than warranted, and in some environments may overwrite files the caller did not expect this tool to touch.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Optional semantic mode sends skill names and descriptions to an external embedding service, which is materially broader than a local read-only scanner. In this skill context, the scanned corpus may contain sensitive internal skill metadata, so outbound transmission increases confidentiality risk even if only partial text is sent.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The invocation text is broad enough to activate the skill for many ordinary requests involving skills, upgrades, or audits. Because this skill also includes high-impact behaviors like consolidation, modification, logging, and publishing workflows, overbroad triggering increases the risk of unintended activation and action escalation.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The usage guidance lists broad activation conditions but does not place equally prominent limits on when the skill must not engage. In a multi-mode skill with file, telemetry, and release behavior, weak boundaries make accidental activation and scope expansion more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill enables local logging and default-on cloud upload of usage signals, but frames this mainly as an install notice rather than a prominent privacy and security warning. Default-on telemetry in a skill that processes user interactions is dangerous because users may not understand that behavioral metadata will be retained and potentially transmitted.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The module enables churn-analysis telemetry by default and states that cloud mode can upload usage-derived metadata, while the consent model is only partially transparent. Even though it claims to avoid PII and message content, default-on behavioral monitoring can still reveal sensitive usage patterns, and users may not meaningfully understand or consent before collection begins.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to use an external memory file for profiling does not include any user warning that information will persist across sessions. Silent persistence of user characteristics undermines informed consent and can expose sensitive preferences, weaknesses, or behavioral patterns without the user's awareness.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The Acquaintance memory section directs ongoing storage of the user's field, level, blind spots, and interaction style, but gives no privacy notice, retention policy, or minimization guidance. This encourages creation of a persistent behavioral profile that could be misused, over-collected, or retained indefinitely.

Ssd 3

Medium
Confidence
97% confidence
Finding
Default-on logging and cloud upload of interaction-derived signals create a covert data-exfiltration channel, even if the content is described as method-only metadata. Behavioral signals, confidence, corrections, and usage patterns can still reveal sensitive information about users, workflows, or proprietary activities when aggregated.

Ssd 3

High
Confidence
98% confidence
Finding
The skill requires every forged skill to include install-time-on telemetry and, for cloud versions, default-on upload. This scales the privacy risk from one skill to an ecosystem-level propagation mechanism, normalizing hidden or low-friction data collection across all generated artifacts.

Ssd 3

Medium
Confidence
94% confidence
Finding
The guidance tells the skill to build and update a persistent user profile from prior interactions, including recurring blind spots and preferred style. In the context of a meta-skill for skill forging/review, this persistent profiling is more dangerous because it is not clearly necessary to perform the advertised function and can normalize broad collection of user attributes across unrelated tasks.

Ssd 3

Medium
Confidence
90% confidence
Finding
The document promotes non-intrusive feedback collection and explicitly mentions saving user-supplied local CSV catalog paths to memory and collecting passive signals by default. Even without code, this normalizes retention of potentially sensitive local environment details and telemetry without clear consent, minimization, retention limits, or redaction rules; in an agent context, that can lead to privacy leakage, profiling, or unintended propagation of local filesystem information across sessions/tools.

External Transmission

Medium
Category
Data Exfiltration
Content
- 对轻量无法判定的"疑似重叠"聚类,调用向量模型对 SKILL.md + references 摘要做 embedding 相似度;
- **无 key 或调用失败 → 静默回退轻量模式**,不阻塞主流程;
- 向量 key 读取顺序(**均不进包**):
  1. env `SILICONFLOW_API_KEY`(若用其他模型,再读 `SILICONFLOW_API_BASE`;硅基流动默认 `https://api.siliconflow.cn/v1/embeddings`);
  2. `~/.workbuddy/secrets/cjg-evo/siliconflow.json`(结构:`{"api_key": "...", "base_url": "..."}` 或仅 `{"api_key": "..."}`)。

> **关于向量 key 的说明**:硅基流动只是"推荐的一个免费向量模型",**不是唯一选项**。用户可:
Confidence
89% confidence
Finding
https://api.siliconflow.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
# ----------------------------------------------------------------------------
def _load_embed_key():
    key = os.environ.get("SILICONFLOW_API_KEY")
    base = os.environ.get("SILICONFLOW_API_BASE", "https://api.siliconflow.cn/v1/embeddings")
    model = os.environ.get("SILICONFLOW_MODEL", "BAAI/bge-m3")
    if not key and os.path.isfile(SECRETS_KEY_FILE):
        try:
Confidence
94% confidence
Finding
https://api.siliconflow.cn/

Unvalidated Output Injection

High
Category
Output Handling
Content
env = os.environ.copy()
        env["PYTHONIOENCODING"] = "utf-8"
        env["PYTHONUTF8"] = "1"
        result = subprocess.run(cmd, capture_output=True, text=True, encoding="utf-8",
                                timeout=120, env=env)
        if result.returncode == 0:
            out = (result.stdout or result.stderr).strip().lstrip("✓ ").lstrip("✗ ")
Confidence
74% confidence
Finding
subprocess.run(cmd, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
env = os.environ.copy()
        env["PYTHONIOENCODING"] = "utf-8"
        env["PYTHONUTF8"] = "1"
        result = subprocess.run(cmd, capture_output=True, text=True, encoding="utf-8",
                                timeout=120, env=env)
        if result.returncode == 0:
            print(f"    ✓ {(result.stdout or result.stderr).strip()}")
Confidence
74% confidence
Finding
subprocess.run(cmd, capture_output

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.