Back to skill

Security audit

Sweeping Monk

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly an academic-methodology assistant, but it also enables default-on local logging, default-on cloud telemetry, persistent user profiling, and creator proposal workflows that can use local tokens and modify skill files.

Install only if you are comfortable with an advisory skill that starts local logging and anonymous cloud telemetry by default. Before use, consider disabling upload with the documented opt-out phrase, clearing or avoiding the acquaintance profile if you do not want persistent personalization, and using proposal approval/application only as the skill creator after reviewing the exact changes and token access paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares itself as an advisory research assistant, yet its documented behavior includes outbound network communication for telemetry and proposal-management workflows. Undeclared or under-signaled network capability weakens user trust and creates a channel for data exfiltration or remote control features that are not essential to the stated purpose.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
There is a substantial mismatch between the stated purpose of a methodology advisor and the embedded behavior for remote proposal fetching, approval/rejection, local token access, and local file patching. This kind of hidden scope expansion is dangerous because users may invoke the skill expecting advice while it also contains privileged administrative and modification workflows.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest presents a benign advisory skill, but the body adds telemetry, cloud interaction, proposal review, and local patch application. This discrepancy increases the chance that users or reviewers will grant access under false assumptions, enabling unrelated data handling and file modification behaviors.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill enables default-on local logging and anonymous cloud upload of user-derived interaction signals that are not necessary for providing research-methodology advice. Even if the payload is described as limited, default-on telemetry creates privacy risk, can be broadened later, and normalizes data transfer without explicit prior consent.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Remote proposal review/approval and local file modification are unrelated to the skill's stated academic-advisory role, yet they create a path for remote-driven changes to local files. This can be exploited to alter skill behavior, introduce malicious instructions, or persist unwanted modifications under the guise of routine proposal application.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation claims the skill is not an executor and does not write or modify content by default, but later sections authorize local file modification and version updates. Contradictory safety messaging is dangerous because it lowers user vigilance and can induce consent to actions they would not expect from the stated role.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file explicitly instructs the skill to retain cross-session user history and methodological preferences in a persistent record, which exceeds the declared advisory role and creates undeclared memory behavior. Even though it says not to store sensitive data, persistent accumulation of user-specific context and inferred traits still enables profiling, unauthorized retention, and unintended disclosure across future sessions.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This section stores a detailed user profile, recurring topics, behavioral judgments, and calibration notes about how to handle the user in future interactions. That is more than harmless personalization: it is persistent profiling and interaction scoring, which can bias future responses, leak confidential work patterns, and conflict with the skill's stated function if not transparently disclosed and authorized.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill explicitly introduces telemetry collection and default-on cloud upload that are not necessary for a research-advisory assistant's stated function. Even if the payload is framed as 'method-layer tags' and 'anonymous,' it still creates persistent behavioral metadata and a transmission path that expands data handling risk beyond user expectations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This section materially expands the skill from a local advisory tool into a telemetry system with remote upload, persistence, retry logic, and upload-state tracking. That broader operational scope increases privacy, security, and compliance risk because the agent now stores and transmits user-interaction metadata over the network.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document treats mere non-action as authorization and characterizes the first notice as only a reminder rather than a permission request. That is dangerous because it bypasses meaningful consent for ongoing logging and upload of interaction metadata, especially in contexts where users may not understand or notice the default behavior.

Intent-Code Divergence

High
Confidence
90% confidence
Finding
The privacy section says local signals remain only on the local machine, but elsewhere the same signals are uploaded to the cloud when cloud mode is enabled. This contradictory documentation can mislead users and reviewers about actual data flows, undermining informed consent and causing improper handling assumptions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script reads bearer tokens from local secret locations and uses them to perform authenticated approve/reject actions against a remote service. That creates a capability to exercise creator authority from within a skill package, which is not aligned with the declared research-advisory purpose and increases the risk of unauthorized or surprising privileged actions if the script is invoked by a user or automation.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code makes outbound HTTP requests to a cloud proposal service and supports authenticated state-changing POST requests, but the skill metadata describes only research/methodology assistance and says search/verification is delegated elsewhere. Hidden network and write capabilities are risky because they can transmit local context or trigger remote actions that users would not reasonably expect from this skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill permits script execution and local file changes for proposal application without a strong, user-facing warning at the moment of action. This is dangerous because users may trigger an apparently administrative convenience flow that silently modifies files, potentially applying unsafe or unintended changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown normalizes automatic persistence of preferences and conversation-derived history but does not provide a meaningful up-front warning in the actual user interaction flow. A buried note in an internal reference file is not sufficient notice, so users may unknowingly disclose information under the assumption that sessions are ephemeral.

Missing User Warnings

High
Confidence
95% confidence
Finding
The file specifies default-on cloud upload while downplaying the privacy significance as transparent, zero-config behavior. Users are not given a strong, explicit warning before network transmission begins, which makes silent or poorly understood metadata exfiltration more likely.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The control phrase for disabling logging is specified only in Chinese, which can prevent non-Chinese-speaking users from exercising privacy controls. In a skill with default-on logging, inaccessible opt-out language increases the chance of unintended continued collection.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The cloud-upload opt-out phrase is also Chinese-only, creating the same accessibility problem for users who do not read Chinese. Because upload is default-on, language-restricted controls raise the risk that users cannot effectively stop network transmission.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The file content is entirely in Chinese and does not offer a language-choice mechanism or document a justified requirement to operate only in Chinese. In practice this can exclude users who cannot read Chinese, cause misunderstanding of research guidance, and reduce safe/accurate use of the skill, though it does not create direct code-execution or data-exfiltration risk.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to read cross-session memory/profile files containing historical user data. Accessing persistent user data raises privacy and data-minimization concerns, especially when the skill's stated role does not require broad profile inspection for every invocation.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill directs default-on persistent logging and cloud sharing of interaction-derived signals. Even if framed as anonymous method tags, this still creates a persistent behavioral data trail and a remote transmission path that can expose user patterns or be expanded beyond current claims.

Ssd 4

Medium
Confidence
97% confidence
Finding
The consent model treats notice-plus-opt-out as implied authorization for cloud sharing, which is weak for privacy-sensitive telemetry. This is dangerous because users may not understand that data transmission is already enabled, undermining meaningful consent and increasing the chance of unauthorized data handling.

Ssd 3

Medium
Confidence
96% confidence
Finding
Automatic cross-session accumulation in a freeform markdown file creates a data retention and leakage risk because conversation content, preferences, and future inferences can be stored without strong boundaries. Natural-language memory stores are especially risky because they tend to accumulate more detail than intended and are harder to audit, redact, or enforce against sensitive-data capture.

Ssd 3

Medium
Confidence
98% confidence
Finding
The calibration section goes beyond simple preferences and records evaluative judgments about the user's progress, corrections, and how the assistant should adjust behavior. This creates a durable interaction dossier that can amplify privacy harm, introduce unfair or stale personalization, and expose sensitive meta-information about the user's abilities or project conduct if accessed by others or reused inappropriately.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.