Back to skill

Security audit

Loop Polish

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent QA automation tool, but it gives an agent broad authority to edit code, kill processes, create API/database state, read database credentials, and record raw request data with several under-disclosed safety gaps.

Install only if you intend to let the agent run a deep full-stack QA/fix loop in a disposable development environment. Avoid using it against production data or shared ports, and explicitly tell the agent not to read database credentials, not to force-kill unrelated processes, and to redact tokens/cookies/request bodies in reports unless you have reviewed and accepted those risks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill explicitly searches project files for database connection details and uses native database CLIs to query live state. That exceeds ordinary application-level verification and creates unnecessary exposure of credentials and backend data, especially if logs, reports, or downstream tools retain those values.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The document describes preflight mode as stopping after scan and score, but its API verification guidance still includes creating records to obtain IDs for later calls. That means a mode presented as safe/non-fixing can still mutate application or database state, misleading users about operational risk.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
Claiming preflight mode is 'zero-risk' is contradicted by earlier instructions to perform write operations during API testing and possibly database verification. This kind of safety misrepresentation can cause operators to run the skill in production-like environments under false assumptions, leading to unintended data changes.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The claim that the main branch is safe because fixes occur on an isolated branch is incomplete because cleanup later returns to the original branch and reapplies stashed local changes. Users may wrongly infer their workspace is untouched, while the skill can reintroduce modified state and create confusion or accidental commits.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases are broad enough to match common QA, delivery, and verification requests, increasing the chance the skill is invoked in situations where the user did not intend deep automation, code changes, process termination, or database interaction. Overbroad invocation expands the blast radius of the skill's risky behaviors.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill includes forceful process termination commands (`taskkill /F`, `kill -9`) against ports that may belong to unrelated services, but the description does not clearly warn users about this destructive behavior up front. In shared development or CI environments, that can disrupt other applications and cause data loss or service interruption.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow accesses database credentials and performs direct database verification without a clear up-front warning in the skill description. Users may invoke the skill expecting application-only QA, not credential harvesting from config files or direct database access.

Ssd 3

Medium
Confidence
92% confidence
Finding
The instructions direct the agent to locate and use database credentials from application files, which constitutes sensitive secret access beyond minimal necessity. Even if used for verification, this expands secret handling and increases the chance of accidental disclosure through logs, reports, memory, or state files.

Ssd 3

Medium
Confidence
96% confidence
Finding
Collecting full request headers and bodies in diagnostics can capture bearer tokens, session cookies, passwords, PII, and other user-supplied secrets. Because these diagnostics may be stored in reports, logs, or state files, a transient failure can become a durable data-exposure event.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.