Security audit

AppDev-Skill

Security checks across malware telemetry and agentic risk

Overview

This skill delegates app-development requests to a local backend, but it does so through an unsafe shell curl command with broad automatic triggering and unclear backend safeguards.

Install only if you intentionally want app-development requests delegated to a trusted local Restate/AppFactory service. Before use, verify what is listening on 127.0.0.1:8080, avoid including secrets or proprietary details in prompts, and prefer a version that uses a constrained HTTP integration with proper JSON escaping and per-request confirmation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill is presented as app-development delegation, but its actual behavior is to transmit the user's request to a backend HTTP endpoint via exec and curl. That mismatch matters because users may believe the agent will handle the task locally, while the skill silently forwards potentially sensitive prompts to another service.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Granting a skill the ability to use exec to invoke curl creates a broader capability than simple app-task routing, because it enables arbitrary command execution patterns and outbound HTTP behavior. Even if the current example targets localhost, this expands the attack surface and can be repurposed to send data or trigger unintended local services.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger description is very broad and can activate on many ordinary app-related conversations, increasing the chance that user prompts are forwarded when the user did not intend to invoke backend delegation. Over-broad triggering makes data exposure and unintended side effects more likely because the skill may run in contexts beyond its narrowly expected purpose.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill does not provide a user-facing warning that their prompt will be sent over HTTP to a backend service. This lack of transparency is dangerous because users may include secrets, proprietary code, or internal requirements in a request they assume stays within the local assistant context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal