Agent Guardrails

Security checks across malware telemetry and agentic risk

Overview

This is a local developer guardrails skill that installs repository checks and git hooks; review the hook changes, but I found no hidden data theft or destructive behavior.

Install only in repositories where you want commit-time enforcement. Before running the installers, inspect the scripts and any generated .git/hooks files, back up existing hooks, and avoid enabling the skill-update feedback loop unless you are comfortable with a post-commit hook and a semi-automatic skills/ commit helper.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises shell-based installation and repository-modifying automation, but it does not declare permissions for shell or environment access. That creates a transparency and consent problem: users and host platforms cannot accurately assess or constrain what the skill can do before execution. In this context, the skill is explicitly designed to install hooks and scaffolding, so undeclared capabilities are more dangerous because they directly enable filesystem and workflow modification.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented purpose focuses on guardrails like hooks, secret detection, deployment verification, and registries, but the observed behavior extends into post-commit monitoring, auto-commits under skills/, publishing/login flows, and broader security scanning. This mismatch is dangerous because users may trust the narrow description while the skill performs materially different actions that can affect source control history, credentials, and release workflows. The security context makes this worse: a tool marketed as enforcement infrastructure is likely to be granted broad trust and access.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The installer creates a feedback-loop system that writes new scripts, installs a post-commit hook, and guides follow-on commits to the repository. Even if intended as a guardrail improvement workflow, this exceeds passive enforcement and introduces an automation path that changes repository contents over time, which can be abused or produce unintended modifications.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The generated auto-commit script stages and commits changes under skills/ based on a pending task file, creating a built-in repository write/commit capability. In a security-focused skill, adding commit automation is sensitive because it can normalize or enable code changes that users may not fully review, especially when paired with hooks and environment-controlled confirmation bypass.

Intent-Code Divergence

Low

Confidence: 92% confidence
Finding: The script advertises commits as confirmation-based and semi-automatic, but the AUTO_COMMIT_NO_CONFIRM environment variable allows silent non-interactive commits. That discrepancy weakens user expectations and can be exploited in CI, wrappers, or compromised shells to commit changes without the promised human checkpoint.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation instructs users to run a local shell installer script directly against the current project, but does not warn that this script will modify repository state and install enforcement hooks. Even though the script is local rather than piped from the network, it still executes unreviewed shell code with the user's privileges and can change git hooks or project files in ways the user may not expect.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The guide explicitly tells users how to bypass the pre-commit guardrails with `git commit --no-verify` and provides no warning about when that is appropriate or what protections are being skipped. In a skill whose purpose is enforcing agent safety, normalizing bypass instructions materially weakens the control and makes secret detection and policy checks easy to evade.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill instructs users to run an installer that installs git hooks, copies scripts, and creates project scaffolding, but it does not prominently warn that the repository will be modified. This can lead to unreviewed changes in developer workflow and commit behavior, especially because git hooks can block commits or enforce policy automatically. In a development-tool skill, repo modification is expected, but lack of explicit warning and consent still makes it risky.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The deployment verification flow creates executable artifacts and a git hook template that can alter repository workflow, but the documentation does not clearly call out the operational impact. Even if intended for safety, executable verification scripts and hooks can affect developer productivity, CI behavior, and local trust boundaries if adopted without informed review. The context lowers severity somewhat because the feature is described as setup guidance rather than hidden execution, but the transparency gap remains.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The Chinese documentation tells users that installation will automatically install a git pre-commit hook, create registry templates, copy scripts, and modify AGENTS.md, but it does not clearly warn in the installation step which files will be changed, whether existing hooks or files may be overwritten, or how to review/undo those changes first. In a security-sensitive developer tool, undocumented automatic modification of repository behavior can surprise users, bypass normal review expectations, and create trust and supply-chain risk even if the stated goal is protective.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The installer writes executable scripts into the target repository and installs a post-commit hook, but it does not present a strong upfront consent step enumerating these repository-state modifications. Hidden persistence via git hooks is security-relevant because it causes future code execution on normal developer actions and may not be noticed during installation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal