Larrybrain

Security checks across malware telemetry and agentic risk

Overview

LarryBrain is a disclosed skill marketplace, but it gives downloaded remote skills too much automatic authority to write files and run setup on the user's machine.

Install only if you intentionally want an agent-managed third-party skill marketplace. Require explicit confirmation before each search, download, file write, dependency install, command run, service start, or update; inspect downloaded files and paths first; sandbox setup where possible; and protect or rotate the LarryBrain API key if it may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: This skill goes beyond searching/downloading marketplace content and instructs the agent to execute arbitrary downloaded SKILL.md instructions, including dependency installation and service startup. That creates a remote code execution and prompt-injection chain where untrusted marketplace content can directly cause system changes on the user's machine.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The example workflow normalizes installing packages and running third-party tools based solely on downloaded skill instructions. Even as an example, it operationalizes unsafe behavior and encourages the agent to execute code outside the marketplace skill's stated role.

Scope Creep

Medium

Confidence: 93% confidence
Finding: The documented upload/publish workflow exceeds the manifest's declared permission scope, which says network access is only for searching and downloading skills. That mismatch can mislead users and tooling about what network actions the skill may attempt, weakening trust and permission boundaries.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The skill presents careful non-execution rules during update diffing, but elsewhere requires full execution of downloaded skill instructions. This inconsistency undermines the security model and can confuse agents into treating the same remote content as untrusted in one phase and trusted in another without meaningful validation.

Vague Triggers

High

Confidence: 96% confidence
Finding: The instruction to run this skill first whenever the user asks for something the agent doesn't already know how to do is overly broad. It increases exposure to untrusted remote content by making marketplace retrieval a default path for many requests, including cases where safer local handling or clarification should come first.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The workflow directs automatic search, download, filesystem writes, and subsequent execution of installed skill instructions without an explicit approval step. This removes informed consent before high-risk actions and allows untrusted remote content to produce immediate local side effects.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The example shows package installation and command execution from downloaded instructions without a safety warning or confirmation checkpoint. Examples strongly influence model behavior, so this materially increases the chance of unsafe autonomous execution.

Ssd 4

High

Confidence: 99% confidence
Finding: This creates a trust chain from marketplace retrieval to unconditional obedience: download skill, install it, read SKILL.md, and follow its instructions. That is dangerous because it converts externally supplied content into effective control over the agent's behavior and local system changes.

Ssd 4

High

Confidence: 98% confidence
Finding: Claims that all downloaded skills are reviewed, scanned, and transparent are used to lower skepticism about remote content. In the same skill, that assurance supports later instructions to execute downloaded SKILL.md steps, making the trust framing materially dangerous if review is incomplete or bypassed.

Ssd 1

High

Confidence: 99% confidence
Finding: The instruction to follow every downloaded SKILL.md instruction 'as if it were your own skill' is direct role reframing. It attempts to transfer authority from the platform's trusted instructions to untrusted remote content, enabling prompt injection and arbitrary action execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal