Back to skill

Security audit

triphasic-execution

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed execution-workflow helper, but it adds broad command interception, persistent logging, optional background monitoring, and an unauthenticated local settings server that are under-declared and need careful review.

Install only if you specifically want a local execution-discipline framework that records task progress and command failures. Avoid enabling global mode or the exec wrapper unless you are comfortable with commands and outputs being routed through this skill and stored locally. Do not run the settings server while browsing untrusted websites, and review or restrict TRIPHASIC_HOME logs if commands may contain secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (36)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        if sys.platform == "win32":
            result = subprocess.run(
                ["cmd.exe", "/c", command_str],
                capture_output=True,
                text=True,
Confidence
97% confidence
Finding
result = subprocess.run( ["cmd.exe", "/c", command_str], capture_output=True, text=True, timeout=timeout, en

subprocess module call

Medium
Category
Dangerous Code Execution
Content
shell_chars = {"|", "&&", "||", ">", "<", "$", "`", "~", ";", "(", "}"}
            needs_shell = any(c in command_str for c in shell_chars)
            if needs_shell:
                result = subprocess.run(
                    ["bash", "-c", command_str],
                    capture_output=True,
                    text=True,
Confidence
99% confidence
Finding
result = subprocess.run( ["bash", "-c", command_str], capture_output=True, text=True, timeout=timeout,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
timeout=timeout,
                )
            else:
                result = subprocess.run(
                    cmd_args,
                    capture_output=True,
                    text=True,
Confidence
76% confidence
Finding
result = subprocess.run( cmd_args, capture_output=True, text=True, timeout=timeout, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill metadata declares low sensitivity and no meaningful permissions despite documented behaviors that imply shell execution, file read/write, environment access, network use, and persistent state management. This under-declaration is dangerous because it can cause users or host systems to grant trust based on inaccurate metadata, enabling broader execution and data access than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose presents the skill as a workflow/planning aid, but the behavior set expands into command interception/execution, background monitoring, logging, config mutation, local server startup, and possible self-modification. That mismatch is dangerous because it obscures the true attack surface and can trick operators into loading a skill with far more invasive capabilities than its description suggests.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The permission report shows this skill has broad operational capabilities, including 21 subprocess calls and 6 file deletions, which materially exceed what is expected for a three-step execution/review workflow description. A skill that can spawn commands and delete files creates a meaningful path to command execution or destructive actions if the surrounding approval flow is bypassed, misconfigured, or socially engineered.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Subprocess execution is a high-risk capability because it can launch arbitrary local commands, invoke other interpreters, and potentially chain into data access or system modification. In the context of a planning/review loop skill, this capability appears unjustified by the declared purpose, which increases suspicion that the implementation is over-privileged and dangerous if misused.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
File deletion is destructive and can permanently remove user or application data. Because the declared skill is an execution-loop framework rather than a file-management utility, delete operations appear mismatched to purpose and create unnecessary blast radius if triggered accidentally or maliciously.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document downplays risk by claiming there are no high-risk operations and only local monitoring/recording, while elsewhere it documents command interception and a persistent daemon/global mode. Even without direct proof of malicious behavior, this mismatch can mislead users and reviewers into granting broader trust or permissions than the skill's actual capabilities warrant.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
A skill framed as an execution/review/advance workflow also includes a global daemon and command-execution interception, which materially expands its operational reach beyond simple task guidance. That gap in scope justification increases the chance of unexpected monitoring or behavioral changes across unrelated tasks, especially if enabled globally.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The documented purpose emphasizes a three-phase execution/review/advance framework, but the implementation doubles as a global shell-command interceptor and executor. That mismatch is security-relevant because users may grant trust based on the benign planning description while the code introduces far broader execution and monitoring behavior.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This section provides a general-purpose arbitrary command execution primitive that is not narrowly justified by a planning/review framework. The skill context makes this more dangerous because it presents as workflow assistance while embedding a powerful execution surface that can be abused for destructive or stealthy system actions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The wrapper persistently stores full command text and captured output to a local pipe file, which can include secrets, tokens, file paths, personal data, or proprietary content. This exceeds the obvious need of a planning loop and creates a confidentiality risk if local files are later read by other processes, users, or tools.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The installer encourages users to register a shell function named `exec`, which overrides a common shell built-in/command name and intercepts future command usage through the skill's wrapper. In the context of a planning/execution skill, this extends behavior beyond local skill installation into persistent shell-level command mediation, which can surprise users and create an opportunity for monitoring, command manipulation, or unsafe trust expansion if the wrapper changes later.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file implements a persistent background daemon that continuously monitors execution output and logs failures, which exceeds the stated three-step execution-loop purpose of the skill. This scope expansion is dangerous because it introduces ongoing surveillance and data retention capabilities that users may not reasonably expect from a planning/execution aid.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill includes start/stop/status management for a background process even though the manifest describes a stepwise execution framework, not system-level persistence. This is risky because it gives the skill long-lived behavior and process control capabilities that can continue operating outside the immediate user task context.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code persistently records command outputs, symptoms, causes, and raw output slices to JSONL logs. In the context of an execution assistant, command output may contain secrets, file paths, tokens, internal errors, or other sensitive operational data, so storing it by default broadens the data exposure surface beyond the skill's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The HTTP handler exposes configuration read and write endpoints without any authentication or CSRF protection, and explicitly enables cross-origin access via Access-Control-Allow-Origin: *. A local website opened in the user's browser could issue requests to localhost and read or modify the skill's configuration, potentially redirecting file paths or changing behavior without user intent.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
This code rewrites SKILL.md based on runtime configuration, which expands the effect of a settings action from data persistence into modifying documentation/instructions. In this agent-skill context, altering SKILL.md can change what future users or agents see as the skill definition, creating a persistence and integrity risk beyond normal config management.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
In cmd_complete, the auto_idle_cutoff branch may set data["status"] = "aborted" for over-idle tasks, but the code immediately afterward unconditionally overwrites the status to "completed". This defeats the advertised enforcement logic and can cause downstream systems or operators to trust tasks that should have been blocked, reducing integrity of task-state controls.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest includes very broad triggers such as "Execute", "Review", "Advance", and generic workflow terms like "步骤" and "retry". These can cause the skill to activate in unrelated conversations, unexpectedly injecting its behavior and potentially altering model execution or user interactions without clear user intent.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill enforces Chinese-only structured output across mandatory phases without indicating that language should follow user preference or system context. This can degrade usability, obscure safety-critical information for users who do not read Chinese, and interfere with downstream auditing, review, or operator oversight in multilingual environments.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrase for opening configuration is broad enough to plausibly overlap with ordinary conversation, which can cause unintended activation of configuration behavior. In an agent setting, ambiguous triggers can lead to surprise UI launches or state changes that the user did not explicitly intend.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code writes complete commands and output to persistent storage without a clear upfront warning that sensitive data may be captured. This is dangerous because shell commands frequently embed credentials, hostnames, internal paths, and confidential output, and users may not expect a planning skill to retain them.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Appending failed commands and stderr excerpts to `PROBLEMS.md` can persist sensitive operational data without user awareness. Error output often contains environment details, file paths, stack traces, or secrets, so automatic retention increases disclosure risk beyond the stated function of the skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.