Back to skill

Security audit

Ai Pa

Security checks across malware telemetry and agentic risk

Overview

This PA coordination skill is not clearly malicious, but it asks agents to use owner email/calendar authority and persistent contact data with weaker disclosure and safeguards than that access deserves.

Install only if you trust the workspace and intend this agent to handle sensitive PA contact data and delegated owner account actions. Before use, remove or replace the real-looking example contact entry, avoid sourcing .context as shell unless you control that file, and require explicit owner approval before any email send, calendar creation, account auth step, or directory update.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill’s stated purpose is PA coordination, but it also instructs the agent to send Gmail and create calendar events on the owner’s account. That expands the authority of the skill into account actions that can affect external parties and owner data, increasing the chance of unauthorized actions if invoked without explicit, task-scoped consent.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The skill is presented as reading contact data, but it also tells the agent to create and modify the local directory file. Undisclosed write capability can alter workspace state, poison future lookups, and create persistent bad data that affects later communications or routing decisions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Including `gog auth add owner@company.com --services gmail` introduces account-authentication steps that can grant or refresh access to the owner’s email account. This is a sensitive privilege-escalating action outside simple PA coordination and can enable broader account operations than the user may expect from the skill.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill grants an agent authority to send email using the owner's account, which materially expands its action scope beyond PA-directory lookup and inter-PA coordination. In an agentic setting, this can enable impersonation, unintended external communication, data leakage, and social-engineering abuse if invoked without strong authorization and disclosure controls.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The onboarding section instructs the agent to create accounts and configure external services, which exceeds the stated purpose of PA-network coordination and broadens the operational privileges implied by the skill. Even if intended as convenience documentation, this kind of scope expansion can lead an agent to perform sensitive setup actions on third-party systems without appropriate user confirmation or separation of duties.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The instructions tell the agent to create or modify `data/pa-directory.json` without warning that it changes persistent workspace data. Silent state changes are dangerous because they can survive beyond the current task, corrupt local records, or be abused to insert misleading contact information for later use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes a direct command to create calendar events on the owner’s account without a prominent warning in the skill description. Calendar creation is an external side effect that can send invites, expose meeting metadata, and modify the owner’s account state, so users should be clearly informed before the skill is used.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Sourcing a local `.context` file exposes environment variables such as phone numbers, account identifiers, and group IDs to the skill without any user-facing disclosure. Access to sensitive local context increases the risk of unintended data use or leakage, especially when combined with messaging, email, or other outbound actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The directory update instructions directly overwrite a file containing personal contact information without any warning, backup step, validation, or approval gate. This creates risk of accidental data corruption, unauthorized contact changes, and privacy-impacting modifications that could redirect communications or damage coordination workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The email-sending instructions transmit message content from the owner's account without an explicit privacy, consent, or disclosure warning at the point of use. In context, this is especially risky because the skill handles personal and organizational contact data; combining that with owner-account email sending can expose sensitive information to unintended recipients and mask the true actor behind the communication.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.