Back to skill

Security audit

Security Audit Pro

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate security-audit skill, but it can run active network scans with broad target scope and limited user-facing safeguards.

Install only if you intend to run active security scans and can verify each target is yours or explicitly authorized. Review the target and output directory before execution, treat generated reports as sensitive, and do not rely on this package as a complete OWASP or compliance audit without additional manual review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and demonstrates shell-based execution of active security scanning commands, but no permissions are declared to signal or constrain that capability. This creates a trust and governance gap: an agent could invoke network scans or local scripts without clear user consent boundaries, which is especially risky for infrastructure-targeting actions.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrase list is broad enough that normal user requests about security audits, vulnerability scans, penetration tests, or hardening could activate the skill unexpectedly. Because this skill performs active infrastructure scanning, unintended activation could lead to unauthorized probing, noisy network activity, or policy violations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description presents active scanning and report generation as standard features but does not warn users that these actions may probe hosts, generate traffic, touch sensitive infrastructure, and create potentially sensitive output files. In a security-audit context, missing warnings materially increases the chance of accidental scans against unauthorized targets or insecure handling of vulnerability reports.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.