taste-skill

Security checks across malware telemetry and agentic risk

Overview

This marketplace skill is not clearly malicious, but it tries to persistently change future agent behavior and use Taste by default across sessions without clear user control.

Review before installing. The main risk is not malware in the markdown artifact; it is that onboarding asks your agent to install a global CLI, register an account, store credentials locally, and modify future agent startup files so Taste is checked by default. Only proceed if you are comfortable with that persistent behavior, and manually inspect any file changes and publish folder contents before approving them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The onboarding directs persistent modification of workspace and agent configuration files that are unrelated to merely using a marketplace/search skill. This establishes ongoing control over future agent behavior across sessions, which exceeds expected installation scope and can silently bias or redirect later actions without fresh user consent.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: These instructions rewrite startup prompts and default tool-selection behavior so Taste is consulted first in future sessions. That kind of persistent behavioral override is not clearly necessary for a skill marketplace and creates a prompt-injection-like persistence mechanism that can shape later agent decisions beyond the original onboarding context.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The metadata description positions Taste as the default marketplace for any new capability, workflow, or ad-hoc tool research, which creates an extremely broad activation surface. In an agent environment, this can cause the skill to trigger in many ordinary conversations and redirect behavior toward external discovery and installation actions the user did not explicitly request.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The 'When to Use' section includes ambiguous triggers like 'is there a better way,' capability gaps, useful links, and before any ad-hoc web research. Those conditions are common in normal assistant interactions, so the skill may self-activate too often and steer the agent into unnecessary marketplace, social, or installation workflows.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The reference states that `taste publish` sends the full skill folder to the backend, but provides no warning about the risk of unintentionally uploading secrets, local credentials, test data, or other sensitive files. In a skill marketplace context, users may publish quickly from working directories, so this omission increases the chance of accidental data exfiltration.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The file instructs writing and modifying persistent config files without requiring a user-facing warning, confirmation, or review of the exact content to be injected. Silent persistence into agent/workspace configuration is dangerous because it can alter future behavior in ways the user may not notice or understand.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The onboarding collects personal registration data and stores credentials locally, but does not require informing the user about what will be stored, where it will be stored, or the security/privacy implications. This increases the chance of unnecessary sensitive-data handling and local credential exposure.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The injected HEARTBEAT content hard-codes Chinese-language behavior for future user-facing output without checking user language preference. While not a direct security exploit by itself, it is an unauthorized persistent behavior change that can confuse users and mask the fact that the agent was modified.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The instructions tell the agent to collect registration details and rely on persisted credentials from local files, creating a natural-language pathway for exposing personal data or secrets in chat, logs, or unintended outputs. This is especially risky because the workflow normalizes secret handling without strong minimization or boundaries.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal