Wei Devils Advocate

Security checks across malware telemetry and agentic risk

Overview

This is a coherent multi-model critique skill, but users should know it sends prompts to external model providers and saves plaintext reports locally.

Install only if you are comfortable sending the submitted idea and generated critiques to the configured LLM providers. Protect API keys, prefer a reviewed/package-manager Bun install over curl-to-bash where possible, and delete or secure the intermediate/ and reports/ files after sensitive analyses.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (19)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares no permissions, yet its documented behavior clearly depends on environment variables and external model APIs, implying env and network access. This mismatch can mislead reviewers and operators about the skill's actual capabilities, weakening sandboxing, approval, and trust boundaries.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The package metadata identifies the project as "wei-research" / "Multi-Model Researcher," which does not match the provided skill context of a devil's-advocate analysis skill. Metadata mismatch is a real supply-chain and review risk because it can obscure the true purpose of the package, mislead operators, and hinder accurate security assessment or deployment decisions.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The implementation and public API describe and expose a generic 'multi-model researcher' workflow rather than the manifest-declared devil’s-advocate function. This mismatch can cause the host or user to invoke the skill under false assumptions, leading to unsafe reliance on outputs that were expected to include adversarial critique, risk surfacing, and cross-checking but may instead provide ordinary synthesized answers.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The module header states this is the entry point for a 'multi-model researcher' skill, directly conflicting with the declared adversarial-analysis purpose. Security-sensitive orchestration systems often rely on metadata and code-level descriptions for routing and trust decisions, so this inconsistency increases the risk of misuse, incorrect policy application, and deceptive presentation of the skill’s capabilities.

Intent-Code Divergence

Low

Confidence: 88% confidence
Finding: The CLI help markets the tool as a generic research interface, which can mislead operators into using it for broad research instead of structured adversarial review. While primarily a semantic/integrity issue, this matters in agent ecosystems because operator expectations and automation may depend on the declared role of the skill when deciding when and how to use it.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README explicitly instructs users to store live API keys in a plaintext `.env` file but gives no guidance to keep that file out of version control, lock down file permissions, or use a secrets manager. This can lead to accidental credential exposure through commits, backups, screenshots, or shared workspaces, which is especially relevant because the skill depends on paid third-party API accounts.

Missing User Warnings

Low

Confidence: 74% confidence
Finding: Telling users to export API keys as environment variables is common practice and safer than hardcoding, but the documentation omits any warning that these variables are sensitive credentials. Without that context, users may expose secrets in shell history, process inspection, shared terminal sessions, or copied setup logs.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly tells users to place API keys in a local `.env` file but does not warn them to exclude that file from version control or protect it appropriately. In practice, this omission can lead to accidental secret commits, credential leakage in shared repositories, and unauthorized use of paid model APIs.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The agent persists the user query and model-generated content to local files under intermediate/ and reports/ without any indication of consent, minimization, retention control, or secrecy protections. Because this skill is explicitly designed to process arbitrary ideas and internal reasoning, those artifacts can easily contain sensitive business plans, credentials, regulated data, or proprietary prompts that remain on disk and may later be exposed to other users, backups, logs, or support tooling.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code forwards the thesis, and in the judge step the aggregated counterarguments from multiple models, to external LLM providers. In this skill context, users may submit confidential strategic plans or sensitive internal content for adversarial review, so undisclosed transmission to third-party APIs materially increases privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This client sends chat messages and embedding input directly to the external Bailian/DashScope API, and the file contains no consent, classification, or redaction guardrails before transmission. In an agent skill context, that can cause unintended disclosure of sensitive prompts, user data, or proprietary material to a third-party service, especially because the skill is designed to process potentially rich adversarial analysis inputs.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The client sends chat messages and embedding inputs directly to a configurable remote base URL, including arbitrary third-party or self-hosted endpoints, but the method docs do not prominently warn that user content will be transmitted off-box. In a skill framework, this increases the risk of accidental sensitive-data exfiltration because integrators may treat this as a generic local helper while it can forward prompts, documents, and metadata to external services.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The helper writes the full response object and error details to a persistent file under the working directory. If model responses contain sensitive prompts, user data, tool outputs, credentials, or proprietary content, this creates a local data-retention and disclosure risk, especially on shared hosts or in environments where logs/artifacts are collected automatically.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The implementation creates plain-text workflow artifacts containing the raw query, parsed arguments, failure scenarios, and raw model responses. This is more dangerous in a devil's-advocate skill because the generated content is likely to include detailed weaknesses, attack paths, proprietary assumptions, and other high-sensitivity material that would be valuable if later accessed by unauthorized parties.

External Script Fetching

High

Category: Supply Chain
Content: ### Install Bun ```bash curl -fsSL https://bun.sh/install | bash ``` Or on macOS with Homebrew:
Confidence: 95% confidence
Finding: curl -fsSL https://bun.sh/install | bash

Unpinned Dependencies

Low

Category: Supply Chain
Content: "bun:agent": "bun run scripts/agent.ts" }, "dependencies": { "axios": "^1.7.0", "dotenv": "^16.4.0" }, "devDependencies": {
Confidence: 89% confidence
Finding: "axios": "^1.7.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: }, "dependencies": { "axios": "^1.7.0", "dotenv": "^16.4.0" }, "devDependencies": { "@types/node": "^20.0.0",
Confidence: 84% confidence
Finding: "dotenv": "^16.4.0"

Known Vulnerable Dependency: axios==1.7.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via proto Key in mergeConfig) +7 more

High

Category: Supply Chain
Confidence: 97% confidence
Finding: axios==1.7.0

Chaining Abuse

High

Category: Tool Misuse
Content: ### Install Bun ```bash curl -fsSL https://bun.sh/install | bash ``` Or on macOS with Homebrew:
Confidence: 97% confidence
Finding: | bash

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal