Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 95% confidence
- Finding
- 该技能文档明确包含可执行工具与 shell 级操作示例(如 cat、rm、curl),但元数据没有声明相应权限边界。缺少显式权限声明会让宿主系统或用户误判其能力范围,导致该技能在更高权限环境中被错误启用,扩大误用和越权执行风险。
安全工具执行器
Security checks across malware telemetry and agentic risk
Overview
This skill does not look like malware, but it overstates safety controls and has mismatched sensitive capability signals, so it needs review before use.
Review carefully before installing. Use this only as a demonstration or coarse classifier unless the publisher adds real enforcement, truthful simulation-only wording, explicit command/path boundaries, and removes or justifies the unrelated wallet, transaction-signing, and sensitive-credential capability tags.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)
Description-Behavior Mismatch
Medium
- Confidence
- 99% confidence
- Finding
- The skill claims to enforce least-privilege execution, pre-execution validation, and approval gates for dangerous tools, but the implementation only classifies tool names and returns metadata. In a security-sensitive agent setting, this mismatch can cause downstream systems or operators to trust the skill as a protective control when it provides no real enforcement, leading to unsafe tool execution outside the promised safeguards.
Intent-Code Divergence
Medium
- Confidence
- 98% confidence
- Finding
- The top-level documentation describes 'safe tool execution' and least-privilege enforcement, but the code never executes tools and never enforces those controls. In the context of an agent skill explicitly marketed as a safety boundary, deceptive or overstated documentation is dangerous because it can be integrated as if it were a real guardrail, creating a false sense of protection.
Vague Triggers
Medium
- Confidence
- 88% confidence
- Finding
- 触发词“工具执行”过于宽泛,容易在普通讨论如何运行工具、解释命令、甚至无害自动化请求时误激活该技能。对于一个会接触危险命令审查和工具调用控制的技能,误触发会扩大暴露面,并可能把普通会话提升到涉及文件/命令处理的上下文。
Vague Triggers
Medium
- Confidence
- 82% confidence
- Finding
- “人工审批”是通用业务术语,可能在大量非安全场景下出现并触发该技能。虽然单独看危害较低,但会造成技能误路由、错误介入决策流,并使高风险工具执行逻辑进入不相关会话。
VirusTotal
VirusTotal findings are pending for this skill version.