Back to skill

Security audit

Superwise Drift Detection Skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises: set up Superwise drift monitoring, upload model data to Superwise, and optionally send Telegram drift alerts.

Install only if you are comfortable sending selected training and inference data to Superwise and drift summaries to Telegram. Use least-privilege Superwise credentials, store secrets in a proper secret manager or protected environment variables, restrict access to any deployed /run-check endpoint, and pin dependencies for production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Tainted flow: 'url' from os.getenv (line 77, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
raise RuntimeError("INFERENCE_ENDPOINT_URL is not set in .env")

    try:
        resp = requests.get(url, timeout=30)
        resp.raise_for_status()
        data = resp.json()
        records = data.get("records", [])
Confidence
91% confidence
Finding
resp = requests.get(url, timeout=30)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file implements ETF price forecasting with Prophet and Yahoo Finance, which is materially unrelated to the declared purpose of a drift-detection skill. In a security review, such capability mismatch is dangerous because it can conceal undeclared behavior, expand the attack surface, and cause operators to run code they would not have approved under the advertised skill scope.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code loads serialized models, fetches live market data, and generates financial forecasts for ETFs despite the skill claiming only drift detection for tabular ML models. Hidden or unjustified financial forecasting functionality is risky because it may be used for unauthorized decision support, introduce compliance concerns, and mask non-obvious runtime behavior such as network access and model execution.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The module docstring explicitly states that the file is a reference implementation for loading Prophet models and generating 30-day forward predictions, contradicting the advertised drift-detection intent. This inconsistency is a strong indicator of deceptive or poorly governed packaging, making it harder for reviewers and users to understand what the skill actually does and increasing the chance of unintended execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks users to place Superwise API credentials into a local .env file without any warning about secret handling, accidental commits, filesystem exposure, or least-privilege use. This creates a realistic path to credential leakage through source control, logs, backups, or shared environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs sending drift alerts over Telegram but does not clearly warn that model-health and operational metadata will be sent to a third-party messaging platform. Even if the content seems limited, drift status, model names, and feature-level alerts can expose sensitive business or system-monitoring information outside the primary environment.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill fetches inference records from one service and uploads them to Superwise, but there is no explicit consent, disclosure, filtering, or minimization step before that external transfer. In an ML monitoring context, inference payloads may contain customer, financial, health, or other regulated data, so silent third-party transmission creates real privacy and compliance risk.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill sends monitoring results to Telegram without any explicit warning or data-classification check. While the message content is limited to drift metadata, model names and feature names can still reveal internal system details or sensitive business context to an external messaging platform.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill uploads raw CSV rows to Superwise, which can include sensitive training or inference data, but the code provides no consent gate, data classification check, redaction step, or explicit user-facing notice about external transmission. In an agent skill context, this creates a real privacy and compliance risk because users may trigger drift monitoring without realizing their dataset contents are being sent to a third-party service.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pybikes>=1.0.0
pandas
scikit-learn
flask
Confidence
96% confidence
Finding
pandas

Unpinned Dependencies

Low
Category
Supply Chain
Content
pybikes>=1.0.0
pandas
scikit-learn
flask
Confidence
96% confidence
Finding
scikit-learn

Unpinned Dependencies

Low
Category
Supply Chain
Content
pybikes>=1.0.0
pandas
scikit-learn
flask
Confidence
97% confidence
Finding
flask

Unpinned Dependencies

Low
Category
Supply Chain
Content
pybikes>=1.0.0
pandas
scikit-learn
flask
Confidence
92% confidence
Finding
pybikes>=1.0.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.