Back to skill

Security audit

Knowledge Retrieval Publish

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local document search and knowledge-base maintenance tool, but users should understand that it creates persistent local indexes and extracted-text caches.

Install this only for folders you are comfortable indexing and caching locally. Put the workspace in a trusted location, confirm the source and workspace paths before initialization, review any dependency-install prompt before approving it, and avoid sensitive client or regulated documents unless your selected LLM provider is approved for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to read local files, write indexes/caches/metadata, and run shell commands, yet it declares no permissions. This creates a trust and enforcement gap: a host may present the skill as lower risk than it is, and users or policy layers may not realize that local file writes and subprocess execution are part of normal operation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The published description understates behavior that materially affects security and privacy, including broader document ingestion, persistent extracted-text caching, and automatic index rebuild subprocesses. When behavior exceeds what is clearly disclosed, users may authorize a retrieval tool without understanding that sensitive document contents will be transformed, stored, and shell-invoked maintenance may occur.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The document instructs executing local scripts and potentially installing packages (`setup.bat`, `pip install`) as part of retrieval flow, which expands the skill from passive knowledge retrieval into code execution and environment modification. That is dangerous because it can change the host system, introduce supply-chain risk, and run project-local scripts without an explicit trust boundary or user consent for each action.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill directs shell command usage (`dir`, `ls`, later Python scripts) as an automatic part of operation without clearly constraining scope or warning that host commands will be executed. Even simple local command execution increases the attack surface because it normalizes running commands derived from project state and can expose or modify local environment details if later extended.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs automatic edits to `data_structure.md` when files are added, deleted, or paths change, but does not require explicit notice or approval before modifying user content. Silent metadata changes are risky because they can corrupt user-maintained documentation, overwrite intentional edits, and normalize unexpected write behavior in what appears to be a retrieval skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill mandates automatic index rebuild and may trigger script execution or package installation without an explicit warning that local commands will run. This is dangerous because users invoking a search workflow may unknowingly authorize code execution, dependency changes, and script-driven system modifications that exceed ordinary retrieval expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill requires updating the description column in `data_structure.md` after reading files, again without an explicit user warning that metadata will be edited. This creates an integrity risk because the assistant is instructed to rewrite organizational metadata based on its own interpretation, which may introduce inaccuracies or unwanted changes over time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.