Folder Inspector

Security checks across malware telemetry and agentic risk

Overview

This folder-listing skill matches its basic purpose, but it uses an unsafe shell command and undisclosed debug logging that make it risky to install.

Review carefully before installing. Only use this with trusted, explicit paths, and prefer a fixed version that uses native filesystem APIs or execFile/spawn with argument arrays, resolves helper files relative to the installed skill, narrows activation to explicit user requests, and removes or clearly discloses debug logging.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The metadata declares a simple directory-inspection skill, but the implementation reportedly has file-write capability without declaring that permission. Undeclared write behavior breaks the principle of least privilege and can enable unexpected persistence, log tampering, or data leakage through local file writes.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The reported behavior exceeds the declared purpose by writing debug logs to /tmp and returning data that does not match the documented interface. This mismatch is dangerous because users and orchestrators may trust the skill as read-only while it performs side effects, and writing to a shared temporary location can expose sensitive path or file metadata to other local processes.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill launches an external Python process through execSync while interpolating user-controlled input into a shell command. For a simple directory listing task this is unnecessary and materially increases attack surface, especially because shell metacharacters in args.path can lead to command injection and arbitrary command execution. The hardcoded external script path also creates a trust boundary on another file outside this module.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The script writes the user-supplied directory path directly to a persistent debug log in /tmp without any disclosure, minimization, or access control. Directory paths can reveal usernames, project names, mount points, or other sensitive filesystem details, and /tmp is commonly shared or broadly accessible on multi-user systems, increasing the chance of unintended information exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal