Ask Council

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local wrapper that sends a user’s council question to a local LLM Council backend and prints the synthesized answer.

Install only if you run and trust the LLM Council backend on your machine. Avoid sending secrets, credentials, or sensitive personal data through `/council`, because prompts may be processed by connected models and may appear in the backend web UI or logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs the agent to execute a local shell script, but the manifest shown in SKILL.md does not declare permissions for shell/code execution. That creates a transparency and policy gap: users and the platform may not realize the skill can run commands, increasing the chance of unintended command execution through a deceptively simple chat trigger.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrase "ask council" is broad enough to match ordinary conversation rather than an intentional tool invocation. In a chat environment, that can cause the skill to send user content to the backend service unexpectedly, creating privacy leakage and unintended external actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The description explains functionality but does not clearly warn that user questions are transmitted to an external/backend service and that results are associated with a web UI link. Users may share sensitive information believing the interaction is local to chat, when it is actually forwarded and potentially exposed through another interface.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script transmits the user's question to a backend service over plain HTTP and does not disclose that the prompt content is being sent off-process. Even though the destination is localhost, plaintext transport and lack of user notice can expose sensitive prompts to local interception, proxying, port-forwarding, or accidental forwarding beyond the host environment.

External Transmission

Medium

Category: Data Exfiltration
Content: fi # ── Start council run ───────────────────────────────────────────────────────── RUN_RESPONSE=$(curl -s -X POST "$API_BASE/api/conversations/$CONVO_ID/runs" \ -H "Content-Type: application/json" \ -d "{\"content\": $(echo "$QUESTION" | python3 -c 'import json, sys; print(json.dumps(sys.stdin.read().strip()))')}") RUN_ID=$(echo "$RUN_RESPONSE" | python3 -c "import sys, json; print(json.load(sys.stdin)['run_id'])")
Confidence: 97% confidence
Finding: curl -s -X POST "$API_BASE/api/conversations/$CONVO_ID/runs" \ -H "Content-Type: application/json" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal