Back to skill

Security audit

Ai Automation Workflows

Security checks across malware telemetry and agentic risk

Overview

This is a transparent AI automation guide with real but disclosed privacy and shell-scripting risks, not evidence of hidden malicious behavior.

Install only if you intend to build inference.sh automations. Prefer the manual or checksum-verified CLI install path, review any cron jobs before enabling them, do not send secrets or private files to model prompts, and replace webhook examples with approved endpoints that send only minimal redacted error metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The webhook alert example introduces direct outbound transmission of runtime data to an arbitrary external endpoint, while the skill manifest advertises an infsh-only automation scope. This can leak command output, errors, prompts, tokens, or other sensitive workflow content to third parties without clear user consent or trust boundaries.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The helper function executes any command passed via "$@" and, on failure, forwards both command text and output externally. In a skill focused on AI workflows, this creates a generic execution-and-exfiltration wrapper that can be repurposed beyond the stated use case and amplifies damage from accidental or unsafe command selection.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The sequential pipeline sends research results and generated content to multiple external AI services without warning that potentially sensitive or proprietary text may be disclosed to third parties. In an automation skill, users may adapt these patterns to internal documents or business data, making silent transmission more risky.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The webhook alert example posts raw error output and the invoked command to an external URL without any privacy warning. Error streams commonly contain prompts, file paths, environment details, API responses, or credentials, so this pattern can directly exfiltrate sensitive operational data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The data processing example reads local files and embeds their full contents into prompts sent to an external model, with no warning about sensitive data handling. This is especially dangerous because users are likely to apply the pattern to real datasets, which may include regulated, confidential, or personal information.

External Transmission

Medium
Category
Data Exfiltration
Content
if [ $status -ne 0 ]; then
    # Send alert (webhook, email, etc.)
    curl -X POST "https://your-webhook.com/alert" \
      -H "Content-Type: application/json" \
      -d "{\"error\": \"$result\", \"command\": \"$*\"}"
  fi
Confidence
97% confidence
Finding
curl -X POST "https://your-webhook.com/alert" \ -H "Content-Type: application/json" \ -d

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.