Web Security Audit Skills

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed security-audit skill, but it automatically generates runnable exploit code, including file-read, RCE, SSRF, and webshell upload templates, without clear authorization gates.

Install only if you intentionally want a dual-use audit helper that writes reports containing runnable exploit scripts. Use it only on code and systems you are authorized to assess, review the generated Security.md before sharing or committing it, and avoid running any generated PoC against live targets unless you have explicit permission and containment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill directs the agent to read arbitrary project files, write a Security.md report, invoke a local Python script via shell, and generate network-capable PoC code, yet it declares no permissions or safety boundaries. This creates a transparency and authorization gap: users and hosting systems are not clearly informed that the skill can modify files and execute tooling, increasing the risk of unintended filesystem changes or command execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The stated purpose is code security auditing, but the skill also mandates generation of runnable exploit PoCs, writes deliverables to disk, and appears broader than the declared language scope. This mismatch is dangerous because users may invoke a seemingly defensive audit skill without realizing it also produces offensive exploitation content and performs side effects on the filesystem.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The module explicitly advertises that it generates full vulnerability reports including executable exploit scripts for each finding. In a code-audit/reporting skill, embedding ready-to-run offensive PoCs materially increases misuse potential by turning static findings into operational attack content without additional authorization checks or narrowing to defensive-only output.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The EXP_TEMPLATES block contains multi-vulnerability attack scripts for SQLi, RCE, XSS, deserialization, SSRF, XXE, path traversal, SSTI, malicious upload, and open redirect. This is context-inappropriate for a regex-based audit skill because it provides broad offensive capability, including payloads for exploitation, exfiltration, and deployment of server-side code, making the skill substantially more dangerous than a passive scanner.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The RCE template claims to perform harmless verification but also sends an out-of-band DNS callback payload using nslookup to an external domain. That creates undeclared external interaction, can leak host identifiers, and crosses from simple validation into covert connectivity testing, increasing the likelihood of unauthorized impact.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs saving Security.md into the target directory as a mandatory action without requiring user consent or warning that it will modify project files. Silent writes can overwrite existing reports, pollute repositories, or cause sensitive findings to be stored in locations the user did not intend.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The function writes the generated Security.md to disk whenever output_path is provided, with no user-facing disclosure, approval, or safety interlock in this file. Silent file creation can surprise operators, overwrite sensitive locations if misused by callers, and persist dangerous exploit content generated elsewhere in the module.

Credential Access

High

Category: Privilege Escalation
Content: payloads = [ ('<?xml version="1.0"?>\n' '<!DOCTYPE foo [\n' ' <!ENTITY xxe SYSTEM "file:///etc/passwd">\n' ']>\n' '<root>&xxe;</root>', "/etc/passwd"), ('<?xml version="1.0"?>\n'
Confidence: 96% confidence
Finding: /etc/passwd

Credential Access

High

Category: Privilege Escalation
Content: '<!DOCTYPE foo [\n' ' <!ENTITY xxe SYSTEM "file:///etc/passwd">\n' ']>\n' '<root>&xxe;</root>', "/etc/passwd"), ('<?xml version="1.0"?>\n' '<!DOCTYPE foo [\n' ' <!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">\n'
Confidence: 96% confidence
Finding: /etc/passwd

Credential Access

High

Category: Privilege Escalation
Content: def exploit(): paths = [ "../../../etc/passwd", "..\\..\\..\\windows\\win.ini", "....//....//....//etc/passwd", "..%252f..%252f..%252fetc/passwd",
Confidence: 95% confidence
Finding: /etc/passwd

Credential Access

High

Category: Privilege Escalation
Content: paths = [ "../../../etc/passwd", "..\\..\\..\\windows\\win.ini", "....//....//....//etc/passwd", "..%252f..%252f..%252fetc/passwd", "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd", ]
Confidence: 95% confidence
Finding: /etc/passwd

YARA rule 'php_webshell_generic': Generic PHP webshell — eval/assert on user-controlled input [webshells]

Critical

Category: YARA Match
Content: ' echo "</pre>";\n' '}\n' '?>\n') with tempfile.NamedTemporaryFile(suffix=".php", delete=False, mode="w") as f: f.write(shell) tmpfile = f.name filenames = [
Confidence: 99% confidence
Finding: system($_GET[

VirusTotal

1/64 vendors flagged this skill as malicious, and 63/64 flagged it as clean.

View on VirusTotal