Back to skill

Security audit

skill-standardization

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate skill-standardization tool, but it can automatically rewrite, move, delete, back up, and version-bump other skills with weaker user control than its risk level warrants.

Install only if you want an agent to actively modify skill projects, not just inspect them. Prefer running read-only audit commands first, review generated reports and planned changes, keep an external backup or version control commit before update/refactor/fix flows, and avoid relying on the cleanup --dry-run behavior as a no-op preview.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (32)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            with tempfile.NamedTemporaryFile(mode='w', suffix='.json', delete=False) as f:
                out = f.name
            result = subprocess.run(
                [sys.executable, str(checker), str(skill_dir), "--output", out],
                capture_output=True, text=True, timeout=30
            )
Confidence
91% confidence
Finding
result = subprocess.run( [sys.executable, str(checker), str(skill_dir), "--output", out], capture_output=True, text=True, timeout=30 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares `sensitive_access: true` and describes capabilities that include reading, writing, scanning, shelling out, and handling external data, but it does not expose a clear, structured permission declaration for those operations. This can cause the agent or user to underestimate what the skill may access or modify, reducing informed consent and weakening review of sensitive behaviors.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The CLI advertises a `--dry-run` mode, but the implementation still calls `finalize()` and `run_cleanup()` before printing dry-run output. This creates destructive side effects when an operator expects a no-op preview, which can cause unintended deletion of registered files and removal of manifests, undermining auditability and operational safety.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The module is presented as an audit engine, but it also creates, updates, refactors, bumps versions, writes reports and state, and modifies audited skills. In a security-sensitive agent context, this is dangerous because users or orchestrators may invoke it expecting read-only analysis while it performs broad file-system mutations, increasing the blast radius of a mistaken or coerced invocation.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The refactor flow archives the entire skill directory into a zip backup, which can capture far more content than is needed for standards review, including secrets, credentials, test artifacts, or unrelated files stored under the skill tree. In an agent setting this expands data exposure and retention risk, especially because backups are written automatically into predictable locations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
`fix_artifact_paths()` performs deletion, relocation, and bulk reference rewriting across the skill tree based on audit-derived metadata and heuristic matching. That is materially more powerful than a normal formatting/standardization fixer, and because it acts automatically on filesystem state, a bad finding, bad suggestion, or unexpected filename match can cause destructive or hard-to-review changes.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
`fix_create_permissions_md()` dynamically reloads modules from `sys.modules` and imports `permission_checker` at runtime, coupling a document-fix path to executable scanning logic. In a skill ecosystem where adjacent modules may be modified or untrusted, this expands the trust boundary and can trigger unexpected code execution during what appears to be a documentation repair action.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
`fix_license_compliance()` deletes root and `scripts/` LICENSE files, removes or moves `README.md`, and rewrites `SKILL.md` sections while also fabricating replacement license content when needed. For a function framed as compliance cleanup, this is destructive repository surgery that can erase authoritative legal/project documentation or replace it with incorrect text.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The `_norm_path` helper is documented and used as if it normalizes paths for comparison, but it never returns the transformed value. As a result, `None` is compared against `None`, which can silently bypass `data_dir` consistency checks between frontmatter and `_meta.json`, weakening policy enforcement and allowing mismatched or unsafe paths to go undetected.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The refactor operation silently expands its behavior beyond file restructuring by executing an additional local program (`permission_checker.py`). In a security-sensitive tooling context, hidden execution of auxiliary code increases attack surface and can trigger unexpected side effects if the checker or its dependencies are compromised, replaced, or behave unsafely.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
After refactor, the code automatically runs `python -m skill_audit`, causing execution of another program/module not strictly required for file migration. Because Python module resolution depends on the runtime environment, this can execute unexpected code if the environment is poisoned or the module is shadowed, and it also creates undisclosed side effects during a supposedly structural operation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
For a component described as a skill standardization/update tool, automatically executing another Python program is a capability escalation that is not strictly necessary for metadata and markdown checks. In this context, the danger is increased because the updater is expected to perform mostly local validation, so hidden code execution via a helper script is surprising and could be abused if the helper is tampered with or replaced in the repository.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions require modifying skill files, generating reports, and performing repair loops, while also forbidding asking the user and pushing the process toward automatic completion. That combination creates a meaningful risk of unintended local changes, especially when operating on third-party skills or user repositories.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The metadata advertises sensitive access, permission scanning, and use of an external data directory, but does not clearly warn the user about privacy implications such as scanning local content and storing audit artifacts. Users may not realize that repository data, paths, or findings can be persisted outside the skill directory.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list contains generic phrases such as asking to check whether a skill is well-written, audit a skill, or create/update/refactor a skill. In an agent environment, overly broad triggers can cause this skill to activate for routine requests outside the user's intent, leading to prompt hijacking of workflow, unintended file access within the skill's scope, or execution of higher-risk audit/refactor behaviors.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest defines triggers but provides no activation boundaries, exclusions, or disambiguation rules. This ambiguity increases the chance that the orchestrator selects the skill in contexts it was not designed for, which is risky here because the skill advertises audit, create, update, refactor, and version-bump capabilities that may influence sensitive project files.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code updates snapshot/state artifacts on disk as part of normal operation without a strong, local disclosure at the write site or a separate consent boundary. In an agent-driven workflow, silent persistence of audit state can surprise users, leak project metadata across runs, and create durable control files that affect later behavior.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Classification metadata is persisted to `.verify_fp.json`, which influences future audit outcomes by suppressing findings, yet the persistence is not strongly surfaced at the point of write. In a security review context, silent creation of suppression state is risky because it can hide future issues and creates an audit-tampering surface if users do not realize the file exists.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The tool writes HTML audit reports to disk automatically, which may embed file paths, findings, and code excerpts. In an agent environment, silent report generation can create unexpected sensitive artifacts and widen exposure if those reports are later shared, indexed, or committed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code deletes files immediately once classified as trash, without an interactive confirmation gate, policy check, or mandatory dry-run. In a fixer that may be invoked by an LLM or automation, this creates a direct destructive-action risk from misclassification or adversarially influenced findings.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The move path automatically relocates files based on parsed suggestions and inferred categories, again without explicit user disclosure or approval. Even when not deleting data, silent relocation can break tooling, imports, documentation, and repository semantics in ways that are difficult for users to detect immediately.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
After deletion/move, the fixer scans files and rewrites matching references automatically, including regex-based substitutions. Bulk content rewriting magnifies the blast radius of any earlier misclassification and can silently corrupt code or docs across many files, especially because replacements are path-string based rather than syntax-aware.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code automatically rewrites Python files in place during `--fix-code` processing without an immediate, explicit confirmation at the point of mutation. In tooling that modifies user projects, undisclosed writes can cause integrity issues, accidental code changes, or facilitate propagation of unsafe transformations if the rewrite logic is overly broad or incorrect.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
`SKILL.md` is modified in place by injecting an authorization section without prompting the user at the moment of write. In this skill-standardization context, silent mutation of documentation can misrepresent permissions, overwrite expected content flows, and surprise users who expected analysis rather than automatic edits.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool automatically bumps versions in `SKILL.md` and `_meta.json` without explicit confirmation immediately before the write. Silent version mutation can disrupt release processes, create inconsistent metadata, and cause downstream systems to trust a changed artifact state the user did not intentionally publish.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/skill_audit/__init__.py:82