Back to skill

Security audit

Craft CLI

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate Craft CLI helper, but it needs review because it installs a remote binary with sudo and can modify or delete Craft content across configured spaces with limited warnings.

Review the installer before use, prefer a user-local install path if possible, and verify the downloaded binary by checksum or signature. Before running create, update, or delete commands, confirm the active Craft space and document ID; treat delete as potentially permanent unless the publisher documents recovery behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This markdown file documents a destructive operation (`craft delete <document-id>`) but provides no warning that the action may remove user data, nor any confirmation or recovery guidance. Under the markdown criteria for missing user warnings, destructive behaviors affecting user data should be explicitly disclosed.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The file explains how to switch the CLI between a business space and a personal space, then later shows create, update, and delete operations, but it does not warn users that subsequent commands will operate on whichever space is currently configured. This omission could lead to unintended modification or deletion of data in the wrong account or workspace.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.