Back to skill

Security audit

Gno.Bak 2026 01 28T18:01:20+10:30

Security checks across malware telemetry and agentic risk

Overview

This is a coherent documentation-only skill for a local document search tool, with real privacy and configuration risks that users should control deliberately.

Install only if you trust the gno CLI source. Index narrow folders you intentionally want searchable, avoid secrets and broad home-directory collections, bind the web UI to localhost for private documents, and do not enable MCP write tools, use --force, or run reset/cleanup/skill-install commands unless you explicitly want those persistent changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The CLI reference exposes capabilities to install and uninstall AI assistant skills, which goes beyond the declared scope of local document search and indexing. Even if legitimate product functionality, undocumented environment modification increases attack surface because an agent using this skill could alter assistant behavior or persistence on the host under the guise of a search tool.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The MCP install/uninstall commands modify external client configurations, which is a privileged side effect unrelated to merely searching local documents. In a skill context, this can enable persistence or toolchain reconfiguration and is especially risky because users may invoke the skill expecting read-oriented behavior.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented reset command can delete all GNO data, including database, embeddings, and config, which is destructive functionality outside the advertised search/knowledge-base purpose. If an agent or user triggers it unexpectedly, it can cause irreversible local data loss.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill description contains very broad trigger phrases like searching files, finding information, setting up knowledge bases, and starting a web UI. These overlap with many ordinary user requests, which can cause the agent to invoke this skill too often and expose local-document indexing/search capabilities in situations where a narrower skill or direct answer would be safer.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The "When to Use This Skill" list is expansive and ambiguous, including generic requests like finding information, setting up MCP, using a web UI, or visualizing document connections. In an agentic environment, unclear activation boundaries increase the chance of unnecessary tool use against local content, which can expand data exposure and create unintended side effects such as indexing or serving sensitive directories.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The web UI defaults to binding on 0.0.0.0, exposing the service on all network interfaces unless the user overrides it. For a local document search tool, that can unintentionally expose indexed private documents, search results, and AI Q&A endpoints to other machines on the network.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The examples encourage indexing broad user directories such as `~/Documents/work` and `~/notes` without warning that sensitive local content may be ingested, stored in an index, or later exposed through search/answer features. In a document-search skill, this increases the chance that users unknowingly process confidential files or make them available to downstream AI components.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `gno ask ... --answer` examples imply AI-generated answers over local documents but provide no warning that prompts, retrieved snippets, or document content may be sent to a model or remote service. For a local knowledge-base tool, this omission is security-relevant because users may assume all processing remains local and inadvertently disclose sensitive material.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The model download examples omit notice of network access and external artifact retrieval. While common, this is dangerous in security-sensitive environments because users may run commands expecting a purely local tool and unintentionally permit outbound connections or import unverified model binaries/files.

Self-Modification

High
Category
Rogue Agent
Content
| -------------- | -------------- | ------------------------------------------------ |
| `-t, --target` | claude-desktop | Target: `claude-desktop`, `claude-code`, `codex` |
| `-s, --scope`  | user           | Scope: `user`, `project`                         |
| `-f, --force`  | false          | Overwrite existing config                        |
| `--dry-run`    | false          | Preview changes                                  |

Examples:
Confidence
91% confidence
Finding
Overwrite existing config

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.