Kirk Content Pipeline

Security checks across malware telemetry and agentic risk

Overview

This content-pipeline skill is mostly purpose-aligned, but it explicitly works around file-access limits and includes an unsafe pickle-loading helper that users should review carefully before use.

Install only if you understand and accept the local-data access pattern. Before use, approve any symlink to a specific PDF folder, remove the symlink after the run, keep generated caches in a task-specific folder, run the pickle-based helper only on state files you generated and trust, and manually review any holdings, source excerpts, and metadata before anything is published or shared externally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill clearly performs file reads and writes across local directories, but it does not declare permissions. Hidden capability expansion is dangerous because operators and policy layers may believe the skill is narrower than it really is, reducing informed consent and review quality.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented purpose describes a content pipeline, but the behavior also includes deserializing local state.pkl files, heuristic data extraction, and metadata merging that are not transparently disclosed in the high-level description. This mismatch can conceal risky behaviors like unsafe deserialization and broader data handling than users expect.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to bypass subagent file-access restrictions by symlinking blocked external files into the project directory. This defeats an intended security boundary and can expose sensitive files to tools or subagents that were not meant to access them.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill directs publication of outputs into a shared final folder outside the working area. Writing outside the normal workspace increases the risk of unintended data exposure, overwriting trusted content, and crossing trust boundaries without explicit approval.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill first states that outside-project files are blocked, then provides a symlink workaround that makes those same files accessible. This is a direct semantic bypass of a security control and trains the agent to reinterpret a deny boundary as permission.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script deserializes a pickle file from auto-discovered locations using pickle.load and a custom Unpickler. Python pickle is code-executing by design, so any attacker who can place or modify a discovered state.pkl can run arbitrary code when this cache-builder is invoked. In this content-pipeline context, the risk is amplified because the tool intentionally searches common state directories automatically, increasing the chance it consumes stale or attacker-planted local state.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The LazyContext fallback trusts a cache_path value recovered from unpickled state and then opens that path directly when the content property is accessed. This can be abused to read arbitrary local files into the cache output if an attacker controls the pickle contents, turning the script into a file disclosure primitive in addition to the underlying deserialization risk.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The code loads pickle data from auto-discovered local state without any user-facing warning or trust boundary enforcement. Because users may assume this is a harmless cache-building utility, the lack of explicit warning and guardrails materially increases the likelihood that dangerous, attacker-controlled pickle data will be loaded and executed.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to query internal holdings, entry prices, returns, and model positions, and to include those details in content and metadata. That creates a real risk of exposing sensitive portfolio or trading information beyond need-to-know, especially when combined with publication steps.

Ssd 1

High

Confidence: 98% confidence
Finding: The symlink workaround reframes blocked file access as acceptable by changing only the path presentation, not the trust boundary. This is a classic access-control bypass pattern and is especially dangerous because it is documented as the recommended fix.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal