Back to skill

Security audit

cloud-doc-intelligent-assistant

Security checks across malware telemetry and agentic risk

Overview

This skill coherently fetches public cloud documentation, stores local copies, checks diffs, and can optionally send user-configured notifications.

Install only if you are comfortable with a tool that fetches public cloud docs, stores copies locally, and may send monitoring summaries to configured webhook destinations. Keep webhook config disabled unless needed, use trusted HTTPS endpoints, and prefer a locked dependency file for production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest and narrative repeatedly frame the skill as only doing collection and diff, yet the permissions allow sending notifications to external webhook URLs supplied via environment variables. In a security-sensitive documentation workflow, this hidden outbound channel makes the skill more dangerous because crawled content, metadata, or change summaries could be sent outside the local environment without operators fully appreciating that risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
`discover_product_docs` falls back to an unfiltered keyword search when the provided term does not match a specific Baidu product. In the context of this skill, that behavior conflicts with the stated requirement to ask the user to specify a cloud vendor before retrieving vendor documentation for generic cloud concepts, which can cause the agent to autonomously gather and use data outside the user's intended scope.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file adds outbound notification channels that send document summaries, metadata, URLs, and change details to arbitrary external webhooks and chat systems. That conflicts with the stated skill scope of local collection/storage and diffing only, and creates an unnecessary data-exfiltration surface if the skill is invoked on sensitive or proprietary cloud documentation datasets.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The module implements generic outbound HTTP notification capability unrelated to the narrowly described purpose of document retrieval, local storage, change detection, and diffing. Because endpoints are configuration-driven, an operator or attacker controlling config can direct document-change data to arbitrary external services, turning the skill into a data forwarding mechanism.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata explicitly states that the skill only performs data collection and diffing and that summarization/analysis is left to the caller, but this code can actively send notifications through runtime notifier channels. That creates a capability mismatch between the declared contract and actual behavior, which can lead to unauthorized outbound communication, data exfiltration of document-change details, or unexpected side effects when the skill is invoked in supposedly read-only contexts.

External Transmission

Medium
Category
Data Exfiltration
Content
}
        for attempt in range(1, self.retry_count + 1):
            try:
                response = requests.post(self.url, json=payload, timeout=self.timeout,
                                         headers={"Content-Type": "application/json"})
                response.raise_for_status()
                return True
Confidence
92% confidence
Finding
requests.post(self.url, json=

External Transmission

Medium
Category
Data Exfiltration
Content
}
        for attempt in range(1, self.retry_count + 1):
            try:
                response = requests.post(self.webhook_url, json=payload, timeout=self.timeout,
                                         headers={"Content-Type": "application/json"})
                response.raise_for_status()
                result = response.json()
Confidence
90% confidence
Finding
requests.post(self.webhook_url, json=

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
sqlalchemy>=2.0.0
Confidence
95% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
sqlalchemy>=2.0.0
pyyaml>=6.0.0
Confidence
95% confidence
Finding
beautifulsoup4>=4.12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
sqlalchemy>=2.0.0
pyyaml>=6.0.0
click>=8.1.0
Confidence
96% confidence
Finding
lxml>=4.9.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
sqlalchemy>=2.0.0
pyyaml>=6.0.0
click>=8.1.0
Confidence
95% confidence
Finding
sqlalchemy>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
beautifulsoup4>=4.12.0
lxml>=4.9.0
sqlalchemy>=2.0.0
pyyaml>=6.0.0
click>=8.1.0
Confidence
95% confidence
Finding
pyyaml>=6.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
lxml>=4.9.0
sqlalchemy>=2.0.0
pyyaml>=6.0.0
click>=8.1.0
Confidence
93% confidence
Finding
click>=8.1.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
88% confidence
Finding
requests

Known Vulnerable Dependency: lxml — 10 advisory(ies): CVE-2021-43818 (lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through); CVE-2014-3146 (lxml Cross-site Scripting Via Control Characters); CVE-2021-28957 (lxml vulnerable to Cross-Site Scripting ) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
lxml

Known Vulnerable Dependency: sqlalchemy — 6 advisory(ies): CVE-2019-7548 (SQLAlchemy is vulnerable to SQL Injection via group_by parameter ); CVE-2019-7164 (SQLAlchemy vulnerable to SQL Injection via order_by parameter); CVE-2012-0805 (SQLAlchemy vulnerable to SQL injection) +3 more

Critical
Category
Supply Chain
Confidence
77% confidence
Finding
sqlalchemy

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
89% confidence
Finding
pyyaml

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.