Back to skill

Security audit

skill-sub

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent workflow-orchestration tool, but it needs review because it can broadly read/export installed skill instructions and persistently rewrite saved workflows.

Install only if you are comfortable with a workflow tool that indexes other installed skills, may send full skill instructions to an LLM when that command is used, and can persistently alter saved chains. Review before running check-gaps, prepare-llm-input without --skill, schedule/register-schedule, delete, or any command that writes chain data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill metadata declares no explicit permissions, yet the content describes capabilities consistent with environment access, file read/write, and network-driven operations such as loading user configuration, saving chain files, and searching or interacting with external data. This mismatch weakens security review and enforcement because downstream systems or users may trust the declared permission surface while the skill actually orchestrates sensitive operations.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The file implements schedule creation, viewing, removal, and registration state management, which goes beyond a narrowly scoped chain editor/planner and enables persistent automation behavior. In an agent-skill setting, expanding from planning into scheduling changes the trust boundary: a user or upstream workflow could cause chains to be configured for future automated execution without a separate, purpose-built scheduler skill or stronger authorization checks.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The create-path logic scans installed skills and reads their metadata/documentation to infer capabilities and step semantics. For a chain editor, this broadens access to neighboring skills' contents and can expose internal operational details or create an unintended reconnaissance surface, especially if those skill docs contain sensitive instructions, local paths, or privileged command hints.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The check-gaps command automatically rewrites adhesion steps into different installed skills based on substring matches against SKILL.md content, then saves the modified chain. This is dangerous because it mutates workflow semantics without trustworthy verification, allowing unintended or attacker-influenced skill substitution that could redirect later chain execution toward more privileged or harmful capabilities.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
`prepare-llm-input` emits full raw `SKILL.md` contents for selected or all changed installed skills, explicitly for downstream LLM consumption. That creates a data-exposure boundary crossing: private prompts, embedded secrets, internal procedures, or other sensitive skill text can be exfiltrated to a less-trusted model or caller, which exceeds a narrow local indexing role and is especially risky because the content is unredacted and bulk-exportable.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
`apply-blueprint` accepts externally supplied LLM-produced JSON and persists it as authoritative blueprint data for an arbitrary skill, with only format validation and no provenance or integrity checks. A malicious or compromised caller can poison the local index with fabricated step names, descriptions, and interfaces, causing downstream planning/search behavior to rely on attacker-controlled metadata and potentially misroute future agent actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/step_indexer.py:58