Back to skill

Security audit

Kb Web Query

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated KB web-query purpose, but it includes an undisclosed authenticated repository write helper that does not fit its no-persistence claim.

Review before installing. This skill is suitable only if the Gitea bot token is read-only or the unused upsert_text write helper is removed. Expect it to read team KB overview/catalog content, preview supplied attachments, use web search/fetch tools, and write local result JSON; do not grant a write-capable repository token unless you intentionally accept that extra authority.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to use environment variables, read files from the knowledge base, write JSON result artifacts, and access the network, yet the metadata does not declare corresponding permissions. This creates a permission-transparency gap: reviewers and policy enforcement may underestimate the skill’s capabilities, and a compromised or modified skill could leverage those undeclared capabilities to access sensitive repo data or exfiltrate information via web requests.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata describes a no-persistence web query tool, but this client exposes authenticated repository write capability through upsert_text, allowing creation or modification of repo contents. In a query-oriented skill, hidden persistence materially expands capability and could be abused to alter knowledge base content, plant misleading data, or create a covert exfiltration/persistence channel.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code loads Gitea URL, token, owner, and repo settings from environment variables, enabling authenticated access to a repository even though the skill is presented as query-only. While reading env vars is common, here it becomes dangerous because it silently equips the skill with modification capability unrelated to the expected role.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Repository writes occur without any visible user confirmation, warning, or consent mechanism. In an assistant context, silent state-changing actions are risky because users may believe they are only performing research while the skill modifies backend content or stores derived data without awareness.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.