ais-skill

Security checks across malware telemetry and agentic risk

Overview

This skill fits its knowledge-base purpose, but it needs review because it asks users for browser-derived tokens and can transfer real local files through a remote service.

Review before installing. Use only a short-lived, least-privilege AIS token if possible, avoid pasting browser session headers into chat or logs, verify every remote write/delete/move/publish action, and use file upload/download/link features only for files you intentionally want to share or save.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill clearly relies on environment variables, local file access, and outbound network access to send commands and transfer files to a remote KB service, yet it declares no permissions. This creates a transparency and governance problem: operators and users are not properly informed that the skill can read secrets from env, access local files, and perform remote actions, which can lead to unintended data exposure or misuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The description frames the skill mainly as sending `kb ...` commands for KB collaboration, but the instructions also enable separate upload, download, and download-link generation flows through built-in file interfaces. That expands the effective capability from document operations to local file exfiltration/import and link generation, which materially changes the risk surface and can surprise users or policy systems relying on the description.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill is described as a wrapper to send `kb ...` commands to a remote AIS executor, but this script also adds separate file upload, file download, and download-link capabilities. That expands the trust boundary from remote command relay to direct local file exfiltration and local filesystem writes, which materially increases risk in an agent setting where tool use may be driven by untrusted prompts or loosely scoped user requests.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the user to extract a token or Authorization value from browser developer tools and provide it for use, without emphasizing that this is a sensitive credential or describing safe handling. This normalizes insecure credential-sharing and can expose a live session token that grants broad KB access to the agent or anyone who sees the prompt/logs.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document explicitly enables uploading local files, downloading remote files to real local filesystem paths, optional overwriting, and generation of temporary wget-accessible links, but it provides no safety constraints, confirmation requirements, or warnings about local file exposure and link sharing. In this skill context, the danger is elevated because the agent is expected to relay commands to a remote AIS environment, so unclear guardrails can lead to unintended local file access, destructive overwrites, or creation of externally accessible download URLs for sensitive content.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: `download_file` writes server-provided content to a caller-specified local path, including deriving a filename from `Content-Disposition` when the target is a directory. In an agent/tool context, this can create or overwrite files on the local machine with remote-controlled content, which is risky even though the CLI exposes `--save-to` and `--overwrite` options.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: `upload_file` reads arbitrary local files and sends their bytes to a remote HTTP endpoint, which creates a direct data-exfiltration path from the host running the skill. In this skill's context, that is especially sensitive because the tool is meant for remote collaboration and could be induced to transmit unintended local files if higher-level controls are weak.

Ssd 3

High

Confidence: 97% confidence
Finding: The skill explicitly tells the agent to obtain and use authentication tokens copied from the user's browser requests. This is dangerous because browser session tokens often grant the same privileges as the user, and moving them into prompts, scripts, or shell history can lead to credential theft, replay, and unauthorized actions against the remote KB.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal