backstage companion

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed admin workflow skill, but it can run local and project shell scripts and update executable checks from an unpinned GitHub source.

Install only for trusted personal or team projects where you trust the upstream repository and every local checks directory. Review all .sh and .md checks before running, avoid using broad casual triggers in untrusted repositories, and inspect update changes before approving because updates can replace or delete checks/global content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The manifest and intro position the skill as a docs/system parity health-check helper, but the documented workflow includes privileged maintenance operations such as pulling remote code and synchronizing local files. Understating these capabilities increases the chance of unsafe consent and accidental use in untrusted repositories or environments.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill includes application-control behavior that quits Visual Studio Code via `osascript`, which is unrelated to documentation parity and broadens the impact surface from repo maintenance to host application control. Even if intended as convenience, this can disrupt work, cause data-loss scenarios, or be abused when triggered unexpectedly.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script executes every .sh file found in both a user-home global directory and a project-local directory, which gives the skill arbitrary code-execution capability far beyond 'parity' or 'health check' behavior. Because project content and local overrides are treated as executable input, a malicious repository or tampered global checks directory can run attacker-controlled commands whenever the skill is invoked.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: For a skill described as an anti-drift/docs-system parity helper, executing shell scripts from $HOME and from the target project is an unjustified and dangerous capability expansion. This makes the skill effectively a generic code runner, so simply opening or starting work in an untrusted project could trigger arbitrary command execution under the user's account.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill is presented as a docs/system parity and health-check utility, but this script fetches code from a remote repository and replaces local files under backstage/checks/global. That is a substantial capability expansion beyond the declared purpose and creates a supply-chain and integrity risk, especially because users may invoke it under the assumption it is only performing local checks.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script performs a network clone from GitHub even though the advertised skill purpose is loading project context with health checks. Hidden or weakly disclosed network access is dangerous in an agent skill because it expands trust boundaries and enables remote content to influence local state.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The rsync --delete operation can overwrite and delete local files in checks/global based on remote repository state. In the context of a supposedly benign health-check skill, this is overly powerful and could be abused to remove safeguards or introduce modified workflow logic through upstream compromise or user confusion.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The header and implementation describe upstream synchronization, but the skill metadata and trigger context describe a health-check/project-context action. This mismatch is security-relevant because it can mislead users and downstream agents about what the skill actually does, reducing informed consent for network and file-modifying behavior.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Trigger phrases such as greetings are overly broad and overlap with normal conversation, making accidental activation plausible. In this skill, accidental activation is more dangerous because invocation can lead to shell execution, repo inspection, file modification, and update workflows.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: Additional triggers like everyday status or wrap-up phrases further increase the chance of unintended execution. Because the skill is documented to perform privileged local actions, ambiguous triggers materially raise operational risk rather than being a harmless UX issue.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The 'When to Use' section normalizes activation via broad natural-language phrases without clear exclusions or scoping. In a skill that can inspect git state, run checks, update docs, fetch remote content, and sync files, vague activation language meaningfully increases accidental or socially induced execution risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script launches subprocesses from discovered shell scripts without a clear user-facing warning that invoking this skill will execute external code. In the context of an agent skill triggered by natural-language phrases, that lack of transparency increases the chance that users run attacker-controlled checks unknowingly, especially from repository-local override paths.

Ssd 3

Medium

Confidence: 79% confidence
Finding: The skill encourages the AI to internalize user-specific methodology, ethics, and preferences across sessions, which creates a natural-language retention and privacy risk. Even without explicit memory tooling, this framing pushes toward unnecessary collection or persistence of sensitive workflow habits and project context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal