Back to skill

Security audit

Denario (Autonomous Research Pipeline)

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its research-automation purpose, but it includes an undisclosed hardcoded Perplexity API key and can generate a paper using built-in mock results.

Review before installing. Use your own scoped API keys, remove or rotate the bundled Perplexity key, treat generated papers and results as drafts requiring human validation, and avoid sending private research data until all external providers and transmitted content are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script directly configures external service credentials and endpoints, including a hardcoded API key, in a local test file without any access control or disclosure mechanism. Embedding secrets in source code is dangerous because anyone with repository or artifact access can reuse the credential, incur costs, access third-party services, or pivot into related environments.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script inspects API credential state and unconditionally redirects an OpenAI-compatible client to a third-party remote endpoint. In a skill context with no clear user disclosure or constrained data-flow boundaries, this creates a real risk of sending prompts, project contents, or other sensitive material to an external service unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation indicates that first use will auto-install dependencies and create a virtual environment in the user's home directory, but it does not present this as a clear upfront warning about system modification and persistence. That omission can cause users to trigger package installation and durable filesystem changes without informed consent, which is especially risky for agent-executed skills that may run with little friction.

Missing User Warnings

High
Confidence
99% confidence
Finding
A live-looking API credential is hardcoded into the script and assigned into the environment, which exposes it to anyone who can read the file, logs, backups, or repository history. This can lead to unauthorized API use, billing abuse, and potential compromise of data processed through that external provider.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends the data description and project context to a remote LLM endpoint by configuring a third-party API base URL and then calling Denario's idea-generation workflow. Even though the sample data here appears non-sensitive, the script provides no explicit user-facing warning or consent gate before transmitting potentially sensitive dataset or project context off-host, which creates a real data exposure risk when reused with private inputs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code invokes a remote LLM workflow that may transmit methodology inputs, project artifacts, and derived content off-host without any meaningful disclosure, consent flow, or data-minimization guardrails. In agent skills, silent network transmission is dangerous because users may assume processing is local while sensitive repository or prompt data is actually sent to an external provider.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.