C# LSP

Security checks across malware telemetry and agentic risk

Overview

This C# language-server skill is mostly purpose-aligned, but its installer and helper script need review because they can use sudo, modify persistent shell/system paths, and expose local project metadata beyond what is clearly disclosed.

Review before installing. Run setup manually, do not set SUDO_PASS, prefer a user-writable link such as ~/.local/bin/lsp-query instead of /usr/local/bin, keep LSP_WORKSPACE limited to the intended project, and remove or restrict /tmp/lsp-query-debug.log if it is created.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill documentation describes capabilities that require access to environment variables, filesystem reads/writes, network access, and shell execution, yet no permissions are explicitly declared. This creates a transparency and policy-enforcement gap: users or platforms may approve the skill without understanding its effective access level, increasing the chance of over-privileged execution or unsafe deployment.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The setup script modifies persistent user and system state beyond simply installing a C# language server: it edits shell RC files, creates a cache directory, changes execute permissions, and attempts to write a symlink into /usr/local/bin. Those actions increase the attack surface and privilege requirements relative to the advertised skill purpose, which is risky in an agent skill because users may not expect broad host modification during setup.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script accepts sudo credentials from the SUDO_PASS environment variable and pipes them to sudo -S to perform a privileged symlink creation. Environment variables are commonly exposed to subprocesses, logs, crash reports, shell history helpers, or other tooling, so handling a password this way materially increases the chance of credential disclosure and unsafe privilege escalation.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: When a file is opened, the script reads the entire file contents and sends them to an external language-server subprocess. In this skill context, that means potentially sensitive source code is automatically disclosed to whichever server binary is configured or installed, and the risk increases because LSP_SERVER can override the binary globally without any validation or warning.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The code writes LSP request/notification metadata to /tmp/lsp-query-debug.log, a shared temporary location that can expose file URIs, workspace structure, and editor activity to other local users depending on system configuration. Even though it does not log full file contents here, metadata leakage from development environments can still reveal sensitive project information.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: At the point of use, the script silently consumes SUDO_PASS and immediately invokes sudo -S, which can surprise users and conceal that privileged execution is occurring with a supplied secret. In an agent/automation context this is particularly dangerous because operators may inject environment variables globally, causing unintended privileged actions without an interactive confirmation step.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal