Back to skill

Security audit

中文 技能评估系统

Security checks across malware telemetry and agentic risk

Overview

This is a skill-quality evaluator, but it uses hard-coded host paths, can scan broad local skill directories, and ships misleading approval reports.

Review before installing. Use it only on explicit skill paths you intend to evaluate, avoid --all unless you accept broad local skill discovery, and treat bundled or generated approval statuses cautiously until the scoring/status logic and report output path are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script presents itself as evaluating a skill 'in a sandbox', but it is hard-coded to read from and write to host filesystem paths under /media/ezekiel and /home/ezekiel. That mismatch expands its access beyond the user-supplied target and can expose unrelated local data or create artifacts outside the expected working area, which is risky for a tool that may be trusted to operate in isolation.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The --all mode performs broad recursive discovery of skills in fixed directories, including globally installed OpenClaw skills, even though the tool is described as evaluating a chosen skill. This creates unnecessary inventorying of the host environment and may reveal or process unrelated skills without clear consent, increasing privacy and scope risks.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The report declares a score of 64/100 with a rating of 'NEEDS_WORK' but then ends with 'STATUS: ✅ APPROVED (score >= 70%)', which is internally contradictory. In a skill-evaluation workflow, this can mislead users or automated pipelines into approving content that failed its own threshold, weakening review controls and enabling unsafe or low-quality skills to pass.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The report contains an internal contradiction: it assigns a score of 56/100 and labels it NEEDS_WORK, yet still marks the final status as APPROVED with a threshold note of 'score >= 70'. In a skill-evaluation context, this can cause unsafe or low-quality skills to be treated as ready for publication, undermining review gates and potentially allowing downstream deployment decisions based on false pass results.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The report is internally inconsistent: it assigns a score of 60/100 with a NEEDS_WORK label, then states 'APPROVED (score >= 70%)'. In a skill-evaluation context, this can mislead reviewers or automation into accepting substandard or risky skills, weakening quality and security gates.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Broad trigger phrases like '评估技能' or '技能审计' can cause accidental or overbroad invocation in normal skill-management conversations. In a skill with file, shell, and possible network capabilities, ambiguous activation increases the chance of unintended evaluation runs against sensitive content or paths.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation table defines generic triggers but provides no scope boundaries, target validation rules, or negative examples. This is dangerous in context because the skill appears capable of broad local inspection and file output, so ambiguous invocation semantics can translate directly into unintended host actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically creates a reports directory and writes evaluation reports to disk without prior user notice or confirmation beyond normal execution flow. Persistent report generation can leak analyzed content, metadata, and filesystem structure to local storage, which is especially concerning for audits of sensitive or unpublished skills.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.