Back to skill

Security audit

Dcc Cli Gateway

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed DCC control-plane helper with consent-gated setup paths, but users should treat its download, update, marketplace, and install commands as privileged operations.

Install only if you intend to let an agent operate DCC gateway tooling from the shell. Before approving setup, confirm the GitHub release source, avoid repo/version overrides you do not trust, inspect marketplace packages before install/update, and treat --execute, update apply, daemon start/restart, and pipe-to-shell bootstrap commands as privileged host changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares only `allowed-tools: Bash Read`, but its instructions explicitly direct the agent to perform network downloads, environment-dependent behavior, and shell-based installation/update actions. This mismatch weakens policy enforcement and user understanding, because a reviewer may assume the skill is limited to inventory/search/call while the content enables broader host and network interactions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill’s stated purpose is gateway-based control of live DCC applications, but later sections add update, marketplace, publishing, and adapter installation workflows. This scope expansion increases the chance that an agent will execute administrative or supply-chain actions under the authority of a lower-risk control skill, violating least privilege and confusing trust boundaries.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Marketplace publishing allows packaging and releasing artifacts, which is materially different from controlling a local/remote DCC gateway. If an agent follows these instructions in the wrong context, it could publish or stage distributable content unexpectedly, creating supply-chain and data-exfiltration risk well beyond the skill’s advertised use.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The adapter installation section instructs the agent to install software and optionally execute setup actions on the host, including package acquisition and host-specific integration steps. That broadens the skill from control-plane interaction into endpoint modification, which can be abused to alter the machine state, introduce untrusted code, or bypass expected deployment controls if the agent acts on incomplete consent.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The helper can automatically download and install an executable from GitHub Releases when --ensure-cli is used, while the top-level description frames the fallback as local/Python REST behavior. In an agent skill context, this expands trust boundaries from local tooling to remote code acquisition and execution, creating a supply-chain risk if repo/version/environment inputs are manipulated or the release artifact is compromised.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The cheatsheet presents `marketplace install` and `marketplace update` alongside read-only discovery commands without an equally explicit warning that these commands change local state by installing or updating packages. In an agent-oriented skill, that omission can cause an automated user or operator to invoke state-changing package operations without clear awareness or separate confirmation, increasing the chance of unintended software installation from a marketplace source.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The guide recommends executing remote scripts via curl/irm piped directly into a shell, which bypasses review, integrity verification, and normal package-management controls. In an agent skill context, this is especially dangerous because an automation system may reproduce the command verbatim, leading to arbitrary code execution if the source is compromised, tampered with, or replaced in transit/supply chain.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.