Back to skill

Security audit

Axioma KAN System

Security checks across malware telemetry and agentic risk

Overview

This skill is not overtly malicious, but it can write or overwrite hard-coded model files across local agent directories and gives broad admin-style guidance without enough safeguards.

Review before installing. Use only in a disposable or purpose-built Axioma-style environment, not on a workstation with valuable existing model files. Do not run training, train-all, auto-evolution, cron, or sudo/service commands unless you have checked the paths and are comfortable with overwriting generated model artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill is framed as KAN lifecycle management, but its documented operations extend into cluster and service administration. Scope expansion is risky because users may invoke a model-management skill without expecting it to inspect or influence broader system components, violating least privilege and increasing blast radius.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Requiring or encouraging privileged checks such as sudo/Docker access is not justified by the stated KAN-management purpose. This normalizes elevated execution for routine ML tasks and can lead operators or agents to run the skill with unnecessary privileges, magnifying harm from mistakes or abuse.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The troubleshooting guidance instructs users to start or restart services with sudo, which exceeds the justified scope of a KAN lifecycle skill. In practice, this can cause an agent or user to perform privileged system changes based on documentation alone, turning a model-management workflow into a system-administration vector.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The documented AutoResearch→Vaccine→KAN pipeline goes beyond ordinary KAN lifecycle operations into broader autonomous workflow orchestration. That enlarged mission profile increases the chance of unintended activation of unrelated processes and makes the skill more dangerous than its manifest suggests.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The generated training script reads config.json from its own scripts directory, but the creator writes the file to the parent KAN directory. This path mismatch causes generated training jobs to fail or behave unexpectedly, which is a real integrity and availability issue in an automation skill that is supposed to create runnable ML components. In this skill context, the risk is higher than a normal bug because it breaks generated artifacts and can mislead downstream agents into thinking training succeeded or is ready to run.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script presents itself as a health checker, but its decision logic is based on loss computed from random synthetic inputs and random labels, which has no meaningful relationship to the actual health, accuracy, drift, or integrity of the loaded KAN models. In an operational lifecycle-management skill, this can misclassify broken models as healthy or trigger unnecessary retraining, undermining monitoring and potentially causing unsafe automation decisions downstream.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The health-check routine reports model status based on loss computed from random inputs and random labels, which has no relationship to actual model correctness, drift, or operational fitness. In a lifecycle-management skill, this can mislead operators into trusting broken models or replacing healthy ones, undermining monitoring and automated decision-making.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The training path claims to train production KAN models but uses only randomly generated samples and labels, so the saved models are effectively meaningless while appearing legitimate. In this skill context, that is dangerous because it can overwrite real model artifacts on disk and poison downstream KAN pipelines, watchdogs, or memory components with nonfunctional weights.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrase "KAN system" is so broad that it may match casual discussion or unrelated requests, causing unintended skill activation. Overbroad activation can expose filesystem operations, training routines, or admin guidance when the user did not request them.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The phrase "KAN concepts" lacks a clear operational boundary and may trigger on informational or exploratory conversations. This increases the risk of accidental invocation of a skill that can read/write files and suggest privileged actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger "KAN training" is ambiguous because it does not specify which model, dataset, or level of action is intended. Ambiguous execution triggers are dangerous in skills that can create artifacts or consume substantial resources, since they can launch the wrong workflow with little user intent verification.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger "KAN assembly" is overly broad and could match requests for explanation, design advice, or actual pipeline modification. Because the skill describes state-changing assembly operations, vague invocation boundaries raise the risk of unintended changes or file generation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.