Business Blueprint

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a local business-blueprint and diagram generator, but it has under-disclosed local persistence of invocation details and mismatched sensitive capability metadata that deserve review before installation.

Install only in environments where the unexplained sensitive capability tags do not grant extra authority. Use dedicated workspace folders, avoid passing secrets or full confidential notes in CLI arguments, and review generated JSON/HTML/export folders, patch logs, and generation-prompt files before sharing or committing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs the agent to read repository files, write artifacts into the workspace, and execute Python scripts via subprocess/CLI, which are sensitive capabilities. Because these capabilities are not explicitly declared or constrained by a permissions model, an agent or reviewer may underestimate the skill's access and execution surface, increasing the risk of unintended file access, command execution, or dependency-triggered network activity.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The exporter mutates the caller-supplied blueprint in place by assigning `system["layer"]` during export routing. This side effect can leak across later processing steps, change downstream authorization or rendering decisions, and create hard-to-detect integrity bugs when the same blueprint object is reused elsewhere.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: This script claims a statistically significant A/B experiment, but later uses estimated baseline values and a fabricated p-value rule instead of an actual statistical test. In a business-blueprint skill, this can mislead stakeholders into trusting unsupported performance claims, causing poor deployment or procurement decisions based on falsified evidence.

Intent-Code Divergence

Low

Confidence: 89% confidence
Finding: The code describes user satisfaction as if measured behavior, but actually derives it from a heuristic multiplier over accuracy and confidence. That creates a misleading metric that may be presented as empirical user evidence when it is only a proxy, reducing the integrity of evaluation outputs.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The document mandates Chinese output ('本文件定义...' and repeated strict directives) for architecture diagram generation without indicating that language should follow user preference. In a presales/business-blueprint skill, forcing a language can cause unauthorized language switching, reduce usability, and create downstream integrity issues when user-facing deliverables must match stakeholder language or locale requirements.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The document defines broad trigger cues for architecture generation such as generic keywords like 'architecture diagram', '架构图', and '--export' without clear scoping, exclusions, or confirmation requirements. In an agent skill, ambiguous triggers can cause the skill to activate in unintended contexts, pulling in additional references and changing workflow behavior, which increases the risk of prompt-surface expansion, incorrect file generation, or unauthorized handling of user content.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code persists a full copy of `sys.argv` into a timestamped markdown file in the export directory. CLI arguments commonly contain secrets such as API keys, access tokens, internal file paths, customer identifiers, or database connection strings, so this creates a durable local disclosure channel beyond normal process visibility. In this skill context, exported artifacts are intended for sharing and traceability, which makes accidental redistribution of sensitive CLI data more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal