Back to skill

Security audit

SkillCompass — Skill Evolution Engine

Security checks across malware telemetry and agentic risk

Overview

SkillCompass appears to be a real local skill evaluator, but it needs Review because it auto-runs hooks, scans installed skills, writes persistent state and configuration, and can run shell/git update workflows while parts of the documentation understate that scope.

Install only if you want a powerful local skill-management tool that can monitor skill use, scan installed skills, write snapshots/logs, and run local commands. Review hooks/hooks.json, lib/update-checker.js, commands/setup.md, and shared/tool-instructions.md first. Avoid enabling the statusLine option until the missing hud-extra.js path is resolved, do not trust custom security tool commands from untrusted .skill-compass/config.json, and back up ~/.claude/settings.json and important skills before using write/update/rollback flows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises executable behavior and references Node, shell commands, environment variables, local file writes, and optional update mechanisms, but it does not declare permissions or otherwise clearly scope those capabilities in the manifest. That creates a trust-boundary problem: users and host systems cannot reliably understand what the skill may access or modify before activation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The top-level description presents the skill primarily as an evaluation and improvement tool, but the content indicates materially broader behavior including onboarding injection, persistent configuration changes, snapshot/version management, audit logging, integrity monitoring, and update/fetch actions. This mismatch can mislead users into authorizing a tool whose effective scope is wider than disclosed, increasing the chance of unintended persistence or modification.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The rollback flow does more than restore a previous version: it snapshots current content, overwrites SKILL.md, updates the manifest, and appends to an audit log. Those are persistent state changes outside a minimal read/preview operation, so if triggered unexpectedly or on the wrong target they can alter skill state and create durable records without clear up-front disclosure.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The command explicitly introduces Node.js execution to perform audit logging, which expands the command's capability surface beyond simple file restoration. Allowing script execution from a command spec increases risk of unintended code execution behavior, dependency abuse, or environment-specific side effects, especially when a plain file append would suffice.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The command explicitly authorizes execution of L2 custom tools sourced from local configuration, which can lead to arbitrary code execution during a security scan. Because this occurs in a security-analysis context where the target may be untrusted, invoking locally configured tools without strict validation, allowlisting, and sandboxing substantially increases the risk of abuse or accidental execution of dangerous programs.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The command instructs broad filesystem discovery across multiple local and home-directory skill paths even when evaluating a single target SKILL.md. This expands access beyond the requested file, creating unnecessary collection of unrelated user data and increasing the blast radius if the command is run in sensitive environments.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The command runs local JavaScript through Bash/Node as part of evaluation, using a path-derived argument inside a shell command. Even if intended for local validation, this creates command-execution and trust-boundary risk because the evaluator is no longer just reading the target file; it is executing code in the local environment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The setup flow for a skill-quality auditor extends into writing persistent global UI configuration in ~/.claude/settings.json. That is outside the minimally necessary scope of inventory/health checking, increases the skill's authority, and can cause unexpected lasting changes to the user's environment even when framed as convenience.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The command instructs modification of a global user configuration file for functionality unrelated to core skill evaluation. Persistent config writes create a trust and safety issue because they can alter later agent behavior and user interface state beyond the current session.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill directs the agent to invoke Bash and execute inline Node.js assembled with data from inventory entries. If any skill metadata such as name or path is attacker-controlled, embedding JSON into a shell-invoked `node -e` command can create command/quoting injection or at minimum expands execution authority beyond simple reporting. The danger is increased because this runs local code during a reporting workflow, where users may not expect code execution.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This command directs the agent to execute shell and Node operations (`node -e`, `git fetch`, `git pull`, `git log`) and invoke local modules based on installed skill inventory and user selection. Because skills are treated as adversarial input and update targets are remote repositories, this expands from passive evaluation into active code/repository interaction, creating a real attack surface for command injection, unsafe repository handling, or pulling untrusted changes into the local environment.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill metadata describes evaluation and quality improvement, but this file also performs repository update management, snapshotting, rollback preparation, and post-update scanning. That mismatch is security-relevant because it hides privileged behavior from users and reviewers, reducing informed consent and making it easier for a skill to gain access to networked modification workflows that exceed its declared purpose.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
When no Git root is found, the hook switches its storage root to the user's home directory and then creates or updates .skill-compass data there. This expands writes beyond the edited skill's local project boundary and can cause unexpected persistence of skill contents, metadata, and snapshots in a broader user scope, which is risky for privacy and least-astonishment even if not overtly malicious.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The prompt declares a hard safety rule forbidding reads outside the skill path, then later mandates reading `{baseDir}/shared/skill-registry.json`, `{baseDir}/shared/llm-capability-baseline.md`, project skills, and user skills. This contradiction can cause an agent to override its own sandboxing assumptions and access files outside the analyzed skill, enabling unintended data exposure from local project or user directories.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
These instructions explicitly authorize shell-based discovery and execution of external tools via Bash. That expands the skill from passive quality evaluation into active command execution, creating attack surface through PATH hijacking, unsafe tool invocation, compromised local binaries, or unintended execution in environments where the skill should not run shell commands at all.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill permits execution of user-configured shell commands from config.json with a substituted path placeholder. This is effectively arbitrary command execution controlled by local configuration, and if that configuration is modified by another process, package, or attacker, the skill becomes a launcher for untrusted commands with the agent's privileges.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file documents behavior that includes external tool orchestration and mutation of .skill-compass/config.json, but the skill metadata describes only evaluation/improvement and usage tracking. This mismatch is security-relevant because it hides privileged behaviors from users and reviewers, undermining informed consent and making risky capabilities harder to detect and govern.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README explicitly encourages broad natural-language activation such as "improve the nano-banana skill" and "what skills haven't I used recently?" rather than constraining use to a narrow command surface. In agent environments, overly broad trigger guidance can cause accidental invocation during ordinary conversation, leading the skill to inspect local skills, usage history, or perform evaluation workflows when the user did not intend to activate it.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The skill is configured to activate for broad themes like skill quality, evaluation, inbox, suggestions, or improvement, which are common conversational topics. Overbroad triggers can cause unintended invocation of a skill that performs scanning, state writes, and onboarding-related actions, expanding exposure without a clear user request.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The onboarding flow is triggered automatically on session start and instructs the agent to act before the user issues a command. In this skill's context, that can lead to immediate scanning, state creation, and possible configuration prompts or writes based on ambient context rather than an explicit user request.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions overwrite SKILL.md and modify the manifest as part of rollback, but they do not explicitly warn the user that files will be changed before performing those writes. In a skill-quality tool, silent destructive or stateful edits are more dangerous because users may expect evaluation assistance rather than direct repository modification.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The audit step persists rollback events to .skill-compass/cc/{skill-name}/audit.jsonl without explicit disclosure that a durable activity log will be created or updated. While lower impact than overwriting the skill itself, undisclosed persistent logging can surprise users, leak operational history, and complicate privacy or retention expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Shell execution of a path-derived Node command without an upfront warning is dangerous because users may believe they are performing passive evaluation while the skill actually executes local commands. This increases the chance of unintended execution against attacker-controlled paths or repositories and undermines informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The security evaluation step launches additional Bash-based scans without clearly warning the user first. In a security-analysis context this is more dangerous, not less, because users may point the tool at untrusted content and not expect active local execution or scanning side effects.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The command writes artifacts to disk without a prominent warning, which can leak evaluation results, overwrite prior state, or leave unexpected traces on shared systems. While lower severity than code execution, silent persistence still creates privacy and operational risk.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.potential_exfiltration

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
lib/update-checker.js:67

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
lib/update-checker.js:164

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
lib/update-checker.js:202