ClawHub
Back to skill

Security audit

GIS_SKILL_V5.0

Security checks across malware telemetry and agentic risk

Overview

The skill is a broad GIS automation package, but it also enables default self-evolution, feedback retention, external update checks, package rewriting, and some source-data mutation that users should review before installing.

Install only if you want an active GIS automation and self-evolving knowledge system, not just a read-only reference skill. Before use, disable automatic self-evolution/search unless needed, review feedback retention, run scripts only on copies of GIS data, and treat the topology/3D conversion outputs as needing manual validation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (108)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises itself as a knowledge-base/documentation skill, but the content explicitly describes capabilities for reading and writing files, invoking shell/subprocess-based tooling, and performing network-backed update/evolution workflows. When such capabilities are undeclared, users and policy layers cannot accurately scope or constrain what the skill may do, increasing the risk of unexpected code execution, repository mutation, or outbound access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
There is a strong mismatch between the declared purpose of a GIS reference skill and the operational behavior described in the file: repository-wide rewriting, watermark injection, snapshot/rollback management, subprocess orchestration, and external crawling. This makes the skill materially more dangerous because a user invoking it for ordinary GIS help could unintentionally trigger broad system or repository modifications and network activity outside the expected trust boundary.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The script writes that geometry validity 'passed' and references RepairGeometry, but no such validation or repair is actually performed. This can cause downstream users to trust corrupted or invalid spatial output, potentially propagating bad data into regulatory, surveying, or engineering workflows where integrity matters.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises DWG↔GIS bidirectional conversion, but the implementation only performs DWG/DXF to GIS export. In an automation context, this kind of capability overstatement can cause users or downstream agents to rely on a non-existent reverse path, producing incorrect workflows, silent data handling mistakes, or unsafe compensating actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The metadata declares multiple engines and output formats, but the code path is effectively hard-wired to arcpy and GDB creation. This mismatch is dangerous because orchestration systems may select the skill assuming ogr2ogr/geopandas or GPKG/SHP support exists, leading to failed runs, inconsistent outputs, or brittle fallback logic.

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The skill accepts a layer_filter parameter but never applies it during exploration or conversion. This can cause over-collection and export of all CAD layers, which is especially risky when source drawings contain sensitive, irrelevant, or unexpectedly large datasets that the caller intended to exclude.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The code claims automatic CGCS2000 projection-band selection but always returns fixed WKID 4526. In geospatial conversion, incorrect CRS assignment or projection can silently corrupt spatial accuracy, making downstream engineering, surveying, or compliance outputs unreliable.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises production of a monomerized model and 3DTiles output, but the implementation never clips the OSGB model or generates actual 3D Tiles. In GIS production workflows this creates a dangerous integrity gap: downstream users may trust a fabricated or incomplete deliverable, leading to incorrect analysis, acceptance of bad data, or silent failure in automated pipelines.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code itself admits that full monomerization and 3DTiles generation are not performed, yet it still records a nominal output path and reports success. This is dangerous because it can mislead operators, CI jobs, or client delivery processes into treating placeholder output as a completed 3D processing result.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The function signature exposes safety-related controls (`keep_output`, `fix_overlaps`, `check_gaps`), but the implementation ignores them and still performs topology checks and destructive edits on the input dataset. This creates a dangerous mismatch between the advertised API contract and actual behavior, so callers may reasonably believe they are running a non-destructive or limited-scope operation when the code will still alter production GIS data.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The function labeled as 'safe fetch' performs outbound requests to any URL passed in, with no allowlist, scheme restriction, redirect policy, or private-address protections. In this file the current source list is hardcoded, which reduces immediate risk, but in a self-evolving GIS skill that may later ingest or modify sources automatically, this can become an SSRF-style primitive or an unauthorized data exfiltration path.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document’s procedural guidance says unknown coordinate systems should be rejected pending confirmation, but the sample code later uses `-s_srs EPSG:auto`, which can cause processing to continue based on guessed CRS metadata. In a GIS workflow this can silently produce misprojected data and contaminate downstream analysis, making the contradiction operationally dangerous rather than merely stylistic.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The example builds a shell command and executes it with `os.system`, which is unsafe because file paths and format-derived values are interpolated directly into a command string. If reused in automation with attacker-controlled filenames or paths, this can enable command injection or unintended command execution on the analyst’s machine.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This second example repeats the same unsafe pattern by constructing an `ogr2ogr` shell command and executing it through `os.system`. In a knowledge-base skill meant to provide production guidance, this teaches an unsafe execution pattern that can be copied into real data pipelines and abused via crafted paths or arguments.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code claims the coordinate perturbation is irreversible, but it is generated from a deterministic PRNG seeded by the secret key and only applies a small bounded additive offset. If the key is known, guessed, or reused, the transformation becomes reproducible, and even without the key the small perturbation may be removable or insufficient for protecting sensitive geospatial locations.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file defines automatic external search and link-checking behavior that goes beyond the stated role of a GIS knowledge skill and can cause unsolicited network access. This expands the skill's effective privileges, may leak user-driven topics to third-party sites, and creates a path for unreviewed external content to influence future answers or stored knowledge.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The feedback quality scoring and labels such as 'high-value feedback user' create persistent user profiling unrelated to answering GIS questions. Even if intended for quality improvement, this introduces unnecessary retention and categorization of user behavior that can affect treatment of future interactions and increases privacy risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document instructs the assistant to autonomously modify its own knowledge files and version state in response to user interactions. For a reference GIS skill, self-modification is dangerous because untrusted user input can indirectly alter future behavior, poison the knowledge base, or corrupt trusted content without adequate human review.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Scheduled background self-checks, automatic update execution, and housekeeping are outside the normal scope of a GIS Q&A skill and represent autonomous behavior expansion. Such background actions can trigger network activity, file mutation, and data processing without a current user request, increasing both privacy and integrity risk.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documented procedure says unannotated or unknown coordinate systems must be rejected, yet the sample automation later proceeds with automatic source CRS inference and reprojection. In a GIS workflow this can silently produce spatially misregistered outputs that look valid, leading to incorrect engineering, surveying, or compliance decisions without obvious runtime failure.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The wrapper builds an ogr2ogr shell command by interpolating file paths and parameters, then executes it with os.system, which is unsafe and unreliable. If paths or arguments contain shell metacharacters, spaces, or attacker-controlled content, this can cause command injection or unintended command execution on the host running the skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs automatic persistence of raw user feedback, original statements, and per-user quality scoring to local files. That exceeds the needs of a passive GIS reference skill and creates unnecessary retention of conversational data, which can capture sensitive or personal information without clear consent or minimization.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The file gives the skill autonomous web-search and external monitoring behavior, including scheduled checks and source collection beyond a local knowledge-base role. This broadens the skill's authority and can cause unreviewed retrieval, trust of unsafe sources, and unexpected network activity triggered without a tightly scoped user request.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill describes itself as automatically running after every conversation, processing feedback, recording knowledge gaps, and updating files in a feedback directory. This turns a reference skill into an active stateful system that modifies local state continuously, increasing the chance of unintended data retention, privilege overreach, and behavior outside user expectations.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This script can rewrite every .md, .py, .txt, and .json file under the skill root, which gives it repository-wide content modification capability unrelated to a normal read-only GIS knowledge skill. In this context, broad self-modifying behavior is risky because it can silently alter prompts, code, or metadata across the package and is not constrained by file allowlists, dry-run mode, or approval gates.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal