Back to skill

Security audit

Deep Skill Finder

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated purpose, but it can install remote skills locally while using stored credentials and weak package validation, so it should be reviewed before use.

Install only if you trust the Meyo service and your local Meyo configuration. Before using it, verify the API URL, avoid exposing MEYO_API_KEY or stored Meyo tokens to untrusted endpoints, and review each recommended third-party skill before confirming installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill directs the agent to inspect the system prompt or read a local `IDENTITY.md` file to determine `agent_type`, then send that value to the search/install scripts. This expands data access beyond what is necessary for basic skill search/installation and risks exposing framework or environment metadata to an external service without clear user notice or consent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The installer accepts any non-ZIP response body from the remote server and writes it directly to SKILL.md without verifying content type, size, encoding, or that it is actually valid skill markdown. A malicious or misconfigured server, proxy, or API endpoint could deliver arbitrary bytes or deceptive content that gets persisted into the installed skill directory, potentially leading to downstream parsing issues, misleading instructions, or unsafe skill content being trusted as installed metadata.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script reads API credentials from local config or environment and automatically attaches them as Bearer tokens to outbound requests. For a skill whose stated purpose is searching community skills, silently reusing local secrets against configurable endpoints increases the risk of credential disclosure or misuse, especially if the endpoint source is attacker-influenced via environment or config.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The probe logic sends the Bearer token to each candidate API URL while merely testing which endpoint is usable. Because candidate URLs can come from environment variables or local config, this can leak a valid token to an untrusted or attacker-controlled server before the real API is selected.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README encourages triggering the skill from very broad natural-language requests such as 'find me a skill for X' without documenting scope limits, trust boundaries, or any approval checkpoints before acting on results. In this skill's context, that matters because the described workflow can lead directly from ambiguous user intent to recommending and then installing third-party skills, increasing the chance of unsafe or irrelevant skill acquisition.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that after the user picks a numbered recommendation, the agent will install it automatically, but it does not present this as a clear safety warning or explain the security implications of local installation. Because this skill is explicitly a discovery-to-install funnel for third-party skills, the missing warning and lack of an emphasized consent boundary materially increases the risk of users authorizing installation without understanding that code or agent capabilities may be added locally.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The installation step treats very broad phrases such as '安装', '装这个', or '就它了' as confirmation to proceed. In a multi-turn conversation, these ambiguous triggers can cause unintended installation of software based on stale context or misunderstood user intent, leading to unauthorized local changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill initiates downloading and writing files into the local skills directory but does not clearly warn the user about this behavior at the decision point. Users may believe they are only selecting a recommendation, when in fact they are authorizing local code/content installation, which increases the risk of uninformed consent and unsafe extension installation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill says `agent_type` should be identified from the system prompt, local files, or runtime and then uploaded to the search/download service, but it does not disclose this data sharing to the user. Even if the value seems low sensitivity, framework and environment metadata can aid fingerprinting and is outside the core user request unless transparently disclosed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script generates a persistent client identifier under the user's home directory and later transmits it in request headers without clear user notice or consent. This enables long-term request correlation and user/device tracking across downloads, which is a privacy and security concern, especially when tied to authenticated requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installer automatically reads local API credentials from config files or environment variables and uses them in outbound HTTP requests without explicit runtime disclosure. This can cause users to unknowingly authenticate to whichever API URL is selected, increasing risk if configuration is tampered with or if users believe the operation is anonymous/public.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.