Math Utils Native

Security checks across malware telemetry and agentic risk

Overview

This calculator skill is openly built around local command-line tools, but crafted calculator input can escape into commands on the user's machine.

Review carefully before installing. Do not use this skill with untrusted expressions or on a machine with sensitive files or credentials unless it is changed to use a safe math parser, strict input validation, and no shell interpolation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The comments describe a calculator, but the implementation builds shell commands by interpolating the user-controlled expression directly into execSync calls. On Linux/macOS, an attacker can inject shell metacharacters into the bc or python3 command string; on Windows, the PowerShell invocation also embeds unsanitized input, enabling arbitrary command execution rather than mere arithmetic evaluation.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill launches subprocesses and executes shell commands as part of normal operation, even though the apparent task is simple arithmetic. Because the subprocess command lines include attacker-controlled input, this grants the skill unnecessary command-execution capability and makes the skill far more dangerous in any agent environment where users can supply expressions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that user-provided mathematical expressions will be handled by generating and executing local CLI commands, but it does not warn users about this execution model or its risks. In this context, untrusted expression input flowing into shell tools like `bc`, `python3`, or PowerShell can become command/code injection depending on implementation, so the omission hides a materially dangerous trust boundary.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill executes user-supplied input in shell/PowerShell contexts without any warning, confirmation, or indication that the input will leave the application boundary. This increases the likelihood of accidental or adversarial abuse, because a caller expecting a harmless calculator may unknowingly trigger OS-level command execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal