GIS_SKILL_V1.0

Security checks across malware telemetry and agentic risk

Overview

This GIS knowledge skill is mostly reference material, but it also tells the agent to automatically store user feedback, search the web, and modify its own knowledge files without clear per-action consent.

Install only if you are comfortable with a GIS skill that may try to keep local feedback records and update its own files. Before use, disable self-evolution, auto-search, and feedback detection unless you explicitly want those behaviors; avoid putting sensitive project details, coordinates, credentials, or client data into feedback; and review any generated admin commands before running them on production GIS systems.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (23)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The prose explicitly says unlabelled CRS data should be rejected, but later guidance and scripts encourage auto-detection or proceeding with guessed CRS values. In GIS workflows this can silently produce spatially misregistered outputs that look valid, causing downstream engineering, surveying, or compliance errors rather than an obvious failure.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file expands a GIS reference skill into a self-modifying system that automatically edits its knowledge base, bumps versions, and persists feedback artifacts. This is dangerous because it gives the skill autonomous state-changing behavior outside its stated reference role, increasing the risk of unintended data retention, prompt-triggered modifications, and integrity drift from untrusted user input.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill mandates automatic external searches across official sites, blogs, and communities, which broadens it from a static GIS assistant into an agent that can fetch and ingest new information on its own. That creates supply-chain and prompt-injection risk from external content, especially because community sources are included and ingestion is tied to automatic update behavior.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The file defines feedback quality scoring and labels users as high-value or needing attention, which is a form of behavioral profiling unrelated to the core GIS purpose. This is risky because it creates unnecessary user classification and can influence future system behavior based on retained conversational traits rather than technical need.

Intent-Code Divergence

Low

Confidence: 77% confidence
Finding: The document claims authoritative-source verification is the only gate for inclusion, but the configuration permits technical blogs and community forums as acceptable sources. This inconsistency weakens trust boundaries and can cause lower-quality or adversarial information to be treated as acceptable input for updates.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill declares an extremely broad activation scope covering many generic GIS, mapping, ETL, database, WebGIS, AI, and standards-related terms. In an agent-routing system, this can cause over-triggering and mis-selection, pulling the model into this skill for ordinary requests that only loosely mention these terms, which can crowd out more appropriate skills and increase the chance of incorrect or policy-bypassing behavior through unintended context injection.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The auto-trigger keyword lists are broad, conversational phrases that can easily appear in normal user dialogue, which can cause the feedback/self-evolution workflow to activate unintentionally. In this skill, unintended activation is more dangerous because self_evolution_enabled and auto_search_enabled are enabled, so ordinary chat could be misclassified as correction or knowledge-gap signals and drive unwanted updates, searches, notifications, or feedback storage.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The file states that feedback records are appended automatically when 'feedback keywords' are detected, but it does not define a narrow scope, confirmation step, or boundary for when logging should occur. In an agent setting, this can cause unintended persistence of normal conversation text, creating privacy, data-retention, and prompt-manipulation risks because benign user utterances may be misclassified as actionable feedback and stored.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrases include very common conversational language such as '还有' or '具体怎么操作', which can appear in ordinary requests rather than true feedback. This broad matching can repeatedly enqueue logging or workflow actions from routine user messages, leading to unintended state changes, privacy issues, and attacker opportunities to steer the skill's self-evolution or search queue through innocuous phrasing.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The auto-trigger rules are broad enough to fire on ordinary user language such as follow-up questions, corrections, or any uncertainty in responses. In a skill with a stated 'self-evolution' mechanism and automatic maintenance behavior, this can cause uncontrolled logging and workflow activation from normal conversation, increasing the risk of prompt-driven state changes, noisy records, and unintended data retention.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The maintenance rule says to automatically append records whenever users ask follow-up questions, correct answers, or the system cannot answer, but it does not define what content may be stored or who authorizes the write. This creates a prompt-injection and data-governance risk because normal or adversarial conversation can modify the skill's feedback state, potentially persisting misleading, sensitive, or low-quality entries.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document shows webhook URL formats for 企业微信 and 钉钉 with credential-bearing query parameters (`key=` / `access_token=`), but it does not warn readers not to paste real secrets into docs, code, logs, or chat. In a skill focused on automation and IM-triggered task execution, this normalization of secret-in-URL usage increases the chance of credential leakage via screenshots, shell history, referrers, logs, or source control.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document provides administrative REST API examples, including token creation and DELETE operations, without prominent warnings about least-privilege use, credential handling, or the consequences of destructive endpoints. In a reusable agent skill, this can normalize unsafe operator behavior and make accidental deletion or over-privileged automation more likely.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The document includes administrative examples using default-style credentials such as `admin:geoserver` and a weak sample password `password123` without any warning that these are insecure placeholders. In a reusable skill or knowledge base, readers may copy these commands into real deployments, normalizing unsafe credential practices and increasing the chance of unauthorized administrative access.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The file provides restart, cache truncation, and cache regeneration commands for GeoServer and ArcGIS Server without warning that they are disruptive production operations. Users could run them directly against live services, causing outages, degraded performance, stale data exposure, or heavy backend load during business hours.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document explicitly recommends writing diagnostic data to %TEMP% log files and later demonstrates HTTP/API request handling, but it does not warn that prompts, responses, errors, or other user-derived content may be persisted locally. In an add-in context handling enterprise GIS data, logs in shared or weakly protected temp locations can expose sensitive project, location, or credential-adjacent information to other local users, support tools, or malware.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill recommends direct HTTP calls that transmit prompt content to a local or external service, but it does not clearly disclose that user input and possibly sensitive GIS/project data leave the add-in process boundary. In this context, prompts may contain regulated geospatial, infrastructure, or customer data, so omission of consent, endpoint trust guidance, and transport security considerations creates a real data exposure risk.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases for feedback detection are overly broad and include common conversational language, so ordinary dialogue may be misclassified as correction, scoring, or update requests. Because these triggers feed logging and repair workflows, ambiguous phrasing can unintentionally activate persistence and self-modification paths.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The file states that self-evolution runs automatically after user questions, but it does not clearly define non-triggering contexts or hard boundaries. Unclear activation scope is dangerous because background workflows may run in situations where users expect a read-only answer, leading to unexpected logging, searches, or state changes.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to capture users' raw statements and store them in local feedback logs without clearly warning users about retention or privacy implications. This is dangerous because natural-language inputs may contain sensitive project, personal, or proprietary information that becomes persistently stored without informed consent or minimization.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script automatically deletes older backup archives beyond the most recent five without prompting the user, dry-run output, or a recycle/safe-delete mechanism. While this behavior appears intended as routine retention management rather than malicious deletion, it can still cause unintended data loss if the backup directory contains important archives the user expected to keep.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The file creates a persistent logging path for user-provided natural-language content, including raw statements and associated metadata. This introduces a data retention surface that can accumulate sensitive or confidential information over time, especially in enterprise GIS contexts where user prompts may include internal datasets, locations, or operational details.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The persistent tracking files for knowledge gaps, revision history, and feedback can accumulate user-derived content and operational metadata without documented minimization safeguards. Over time, these files become an unbounded local memory store that may expose sensitive details, provenance from user corrections, and internal workflow history.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal