Security audit

中文 Axioma 守护

Security checks across malware telemetry and agentic risk

Overview

This appears to be a defensive security skill, but it overstates its protection and has under-disclosed network behavior that users should review before relying on it.

Treat this as a Review item, not confirmed malware. Install only if you are comfortable with remote reputation checks and a local Merlin analysis endpoint receiving scanned skill identifiers or threat data, and do not rely on it as a complete malware blocker until the publisher aligns the documentation with the code, implements real local scanners or removes those claims, declares dependencies and endpoints, and replaces hardcoded service status with real checks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill advertises and documents actions that require network access, file reads, and likely environment access, but it declares no permissions. This creates a trust and enforcement gap: a host may allow the skill to run without prompting for capabilities users would expect to review, and hidden capability use in a security tool is especially sensitive because operators may grant it elevated trust.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is limited to Clawdex checks and four fixed vaccine scans, but the behavior reportedly includes an undocumented localhost API call, a generic vaccine-generation command for arbitrary threat IDs, and status output that can falsely claim services are online. In a security product, undocumented network interactions and misleading health/status reporting are dangerous because they can hide unexpected data flows, generate unreviewed content, and cause operators to trust scans that were never actually validated.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill description advertises four local malware-scanning 'vaccines', but the implementation only performs remote reputation checks and remote vaccine generation. In a security tool, this mismatch is dangerous because users may rely on protections that do not actually exist, causing false assurance and missed detection of local threats.

Intent-Code Divergence

Low

Confidence: 92% confidence
Finding: The status command hard-codes that Clawdex and Merlin are connected and online without performing any health check. This can mislead operators during incidents or offline conditions, reducing trustworthiness of the security tool and delaying response when protections are actually unavailable.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code sends skill names and threat data to external or local services automatically, with no explicit disclosure, consent flow, or data minimization controls. In a security-auditing context, scanned artifact names or metadata may themselves be sensitive, so silent transmission can create privacy, confidentiality, and compliance risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal