OC Team Builder

Security checks across malware telemetry and agentic risk

Overview

This skill is disclosed as a team and research helper, but its experiment mode can run shell commands, change repositories, and continue autonomously with weak safeguards.

Install only if you specifically need the Research Lab automation and can run it in a sandbox, disposable branch, or test copy of a project. Review every command before using experiment.sh, avoid untrusted agent definition files or arbitrary --file paths, set your own runtime and cost limits, and do not run the autonomous loop unattended on important repositories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (24)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The document materially expands a 'team-builder' skill into an autonomous experimentation framework that can mutate repositories and drive iterative system changes. This scope expansion is dangerous because users may invoke a planning skill but instead enable code-modifying behavior with operational and security consequences outside the advertised purpose.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: These instructions tell the agent to directly edit code, commit changes, execute training jobs, inspect logs, and revert with git operations, which goes far beyond proposing teams. In the context of a team-composition skill, this creates a capability mismatch that can lead to unauthorized code execution, destructive repository changes, and misuse of local compute resources.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: An instruction to 'loop forever' and remain fully autonomous is unjustified for a team-builder context and creates an unbounded action pattern. This is dangerous because it can consume compute indefinitely, repeatedly mutate artifacts, and continue acting without fresh user authorization or review.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The setup and trial instructions include cloning repositories, installing dependencies, preparing data, creating branches, and running training jobs, none of which are necessary for team composition. In this skill context, those steps enable environment modification and code execution that users would not reasonably expect from a planner/reviewer workflow.

Intent-Code Divergence

Medium

Confidence: 85% confidence
Finding: The claimed constraint of modifying only in-scope files is undermined by surrounding examples that clone repos, install dependencies, commit, and hard-reset branches. That inconsistency is dangerous because it presents weak guardrails while normalizing broader state-changing actions that can affect the host environment and repository history.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script allows callers to supply an arbitrary path via --file and then prints that file's contents with cat or sed, without restricting access to the intended agency roster directories. In an agent-skill context, this can become a local file disclosure primitive that exposes sensitive files such as configuration, secrets, or prompt material if an attacker can influence the argument.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The script exposes a generic experiment runner for arbitrary local projects, including user-controlled execution and modification workflows, which materially exceeds the stated purpose of a team-composition skill. This capability expansion is dangerous because it enables code execution and repository mutation in contexts unrelated to the advertised skill, increasing the chance of misuse or unexpected destructive actions.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The --run-cmd and --metric-cmd options allow callers to supply arbitrary shell commands that are later executed, effectively turning the skill into a general-purpose command execution wrapper. In the context of a 'team-builder' skill, this is especially risky because users and orchestrators would not reasonably expect remote-code-execution-like behavior from the advertised functionality.

Context-Inappropriate Capability

High

Confidence: 84% confidence
Finding: The setup path creates and checks out branches in the target repository, and later code commits or reverts file changes, giving the skill write-side effects on user repositories. Those mutation capabilities are not obviously necessary for team composition and increase the risk of unintended source changes, data loss, or persistence of malicious modifications if the tool is invoked on sensitive repos.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly promotes autonomous experiment loops, including overnight runs, but does not describe safeguards such as runtime limits, budget caps, human approval gates, or monitoring requirements. In an agent skill context, this can lead to excessive CPU/GPU usage, runaway processes, unexpected costs, or uncontrolled modification attempts if supporting scripts are permissive.

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The document instructs users to run local shell scripts directly (`bash .../activate.sh` and `bash .../plan.sh`) without any warning about execution risk, trust boundaries, or side effects. In an agent skill context, this is dangerous because users or downstream agents may copy-paste and execute commands that invoke repository-controlled scripts, which could modify the environment, access local data, or perform unintended actions if the scripts are changed or unreviewed.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The file instructs users to 'read their definition file and adopt their role' for any specialist, which normalizes wholesale persona/behavior adoption from external prompt files without stating trust boundaries, allowed capabilities, or conflict-resolution rules. In a multi-agent skill, that broad delegation increases prompt-injection risk because downstream agent files may contain unsafe instructions that override system goals, expand scope, or cause sensitive actions under an assumed role.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The quick activation template uses a very generic 'Activate [Agent Name]' pattern and directs the operator to read and apply arbitrary agent definition files, but it provides no scope guardrails, exclusion examples, or safety checks before execution. In practice, this lowers the barrier for ambiguous or overbroad activation, making it easier to invoke powerful specialists in inappropriate contexts or to propagate unsafe instructions from referenced files into the active workflow.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The autonomous loop repeatedly changes code, runs experiments, and may revert state without any clear warning about impacts to data, compute usage, logs, or repository history. Missing user-facing risk disclosure is problematic here because the skill context suggests orchestration/planning, not potentially disruptive automation.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The examples include 'git reset --hard', a destructive operation that can permanently discard local modifications, but no warning or safeguards are provided. In a skill that is not primarily a version-control tool, this sharply increases the risk of accidental data loss and harmful automation if copied or followed blindly.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The script executes the user-supplied run command through bash -c, which allows arbitrary shell metacharacters, command chaining, substitutions, and redirections to run with the script's privileges. This is a direct command-injection/code-execution sink and can be exploited to run destructive commands, exfiltrate data, or alter the host and repository contents.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The metric extraction path uses eval on a user-controlled string, which gives an attacker full shell execution during metric parsing. Because this occurs even after the main run step, it creates an additional hidden execution point that can be used to execute arbitrary commands, tamper with outputs, or bypass assumptions about a harmless parsing operation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The run path combines arbitrary command execution with file-changing git operations, so a supplied command can modify repository state and then influence whether changes are committed, discarded, or left behind. In a misleadingly benign skill context, this increases the danger because users may trigger destructive or persistent changes without realizing the skill can execute shell code and mutate source control state.

Unbounded Resource Access

Medium

Category: Excessive Agency
Content: | Specialized | 7 | Agents Orchestrator, Data Analytics, LSP Engineer | ### 3. Research Lab (`references/TEAM-RESEARCH.md`) Autonomous experiment loops adapted from Karpathy's [autoresearch](https://github.com/karpathy/autoresearch). Set up a measurable experiment, run it in a fixed time budget, keep improvements, discard failures, loop forever. Source code reference: `reference/autoresearch-master/` (program.md, train.py, prepare.py)
Confidence: 97% confidence
Finding: loop forever

Unbounded Resource Access

Medium

Category: Excessive Agency
Content: # Research Lab — Autonomous Experiment Methodology Adapted from Karpathy's [autoresearch](https://github.com/karpathy/autoresearch) framework. The core idea: set up a measurable experiment, run it in a fixed time budget, keep improvements, discard failures, and loop forever. This methodology is **not limited to ML training**. It applies to any domain with a measurable metric: image analysis pipelines, prompt engineering, configuration tuning, data processing, performance optimization, and more.
Confidence: 90% confidence
Finding: loop forever

Unbounded Resource Access

Medium

Category: Excessive Agency
Content: ## The Experiment Loop ``` LOOP FOREVER: 1. Review current state (baseline metric, recent experiments) 2. Propose a hypothesis — what change might improve the metric? 3. Implement the change (modify only the in-scope file/config)
Confidence: 95% confidence
Finding: LOOP FOREVER

Unbounded Resource Access

Medium

Category: Excessive Agency
Content: ### The autoresearch Loop (verbatim from program.md) ``` LOOP FOREVER: 1. Look at the git state: the current branch/commit we're on 2. Tune train.py with an experimental idea by directly hacking the code 3. git commit
Confidence: 96% confidence
Finding: LOOP FOREVER

Tool Parameter Abuse

High

Category: Tool Misuse
Content: Run: uv run train.py > run.log 2>&1 Result: val_bpb 1.0050 (worse than 0.9932) Decision: DISCARD — regression, reverted Action: git reset --hard HEAD~1 ``` **Experiment 3: Reduce model depth, increase width**
Confidence: 98% confidence
Finding: git reset --hard

Tool Parameter Abuse

High

Category: Tool Misuse
Content: Run: uv run train.py > run.log 2>&1 Result: OOM crash — grep output empty, tail shows CUDA OOM Decision: CRASH — too much VRAM, reverted Action: git reset --hard HEAD~1 ``` ### Final Ledger
Confidence: 98% confidence
Finding: git reset --hard

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal