Back to skill

Security audit

Dcc Mcp

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent DCC automation tool, but it includes high-impact setup paths that can download and execute external code or modify installed skills, so it belongs in Review.

Install only if you want an agent to control live DCC applications through DCC-MCP. Review and approve any CLI download, marketplace install/update, gateway daemon start, remote gateway profile, or adapter install step; prefer pinned releases and verified checksums before running downloaded executables or pipe-to-shell installers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares only Bash and Read, but its documented behavior includes environment-variable use, network access to local/remote gateways, and shell-driven download/install flows. This capability mismatch can cause an agent or policy layer to authorize the skill under incomplete assumptions, increasing the chance of unexpected outbound connections or binary installation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is presented as a default DCC control layer, but it also performs transport management, health probing, gateway auto-start, and optional CLI download/install from GitHub. That broader behavior expands the trust boundary well beyond simple DCC task execution and can lead to agents invoking setup, networking, or binary acquisition in situations where users expected only application control.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The probe function can perform installation when ensure_cli is enabled, despite being described as a checker/probe. That creates an unexpected side effect: a health/inventory script may download and install executable code based on environment-controlled repo/version values, increasing supply-chain and unauthorized change risk in environments that expect read-only diagnostics.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The instruction to 'use this skill first whenever the user asks to do something in a DCC app' is broad enough to make this an aggressive default router. In context, this matters because the skill can trigger inventory checks, network/gateway interaction, and bootstrap guidance, so over-triggering can cause unnecessary privileged actions for ordinary user requests.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The natural-language triggers are very permissive and match common phrases like 'help me in Blender' or 'edit this in Photoshop,' which may cover requests that do not actually require live control tooling. Because this skill includes setup and control-plane operations, broad matching increases the risk of unintended tool invocation and environment interaction.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The cheatsheet documents `marketplace install` and `marketplace update` commands that modify the local skill environment, but unlike the adapter install flow it does not explicitly warn that these actions change local state or require user consent first. In an agent-oriented CLI, omission of that warning can cause an automated agent to perform package installation or updates without a clear safety checkpoint, increasing the risk of unintended code introduction or environment drift.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide includes curl/PowerShell one-liners that fetch and immediately execute remote scripts, which is a well-known supply-chain and arbitrary code execution risk. In this skill's context, the commands are presented as setup guidance for users who may be troubleshooting missing DCC instances, making it more likely they will copy-paste them without independently verifying the source or script contents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The helper can automatically download an executable from GitHub and place it into a user-writable bin directory when --ensure-cli is used, without a strong user-facing trust prompt or any integrity verification in this code. In a security-sensitive agent skill, silently acquiring and later executing a remote binary materially increases supply-chain and arbitrary-code-execution risk.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
1. **Use this routing policy first** for every DCC-control request, whether the
   host is MCP-native or shell-only.
2. **MCP-native host** — call the gateway/DCC structured tools directly
   (`inventory` → `search` → `describe` or `load_skill` → `call`). Do not ask the
   user to switch clients or manually repeat the operation.
3. **Shell-only host** — use `dcc-mcp-cli` (`search` → `describe` → `call`).
4. **Do not mix paths in one turn** — pick CLI+REST or MCP for the whole task,
Confidence
78% confidence
Finding
Do not ask the user

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.