Back to skill

Security audit

Agent Guardrails

Security checks across malware telemetry and agentic risk

Overview

This security-focused skill appears non-malicious, but it installs persistent repository automation and can mutate project/skill files with insufficiently clear user control.

Install only after reviewing the scripts and accepting that they may modify repository files, install git hooks, inspect changed files, and create local workflow artifacts. Prefer a test repository first, check .git/hooks and AGENTS.md changes, avoid enabling AUTO_COMMIT_NO_CONFIRM unless you intentionally want unattended commits, and make sure your team has a rollback or uninstall path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs users to run shell scripts and describes environment/secret handling behavior, but it does not declare permissions or capabilities up front. That creates a transparency and consent problem: consumers may treat the skill as documentation-only while it actually drives shell execution and access to potentially sensitive environment context. In a security-oriented skill, hidden execution capability is more dangerous because users are encouraged to trust and broadly install it across projects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented purpose focuses on enforcing project guardrails, but the described behavior extends into self-maintenance and publication workflows, including post-commit automation, task generation for skill updates, and semi-automatic commits under skills/. That mismatch is security-relevant because operators may authorize project-level enforcement while unintentionally granting a mechanism that mutates repository state, persists automation, and may publish or propagate changes beyond the immediate project. The context makes this more dangerous, not less, because a 'guardrails' skill is likely to be trusted and installed widely with elevated credibility.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The installer deploys persistent repository automation by creating detection scripts, an auto-commit helper, a workflow file, and a post-commit hook across the target project. That exceeds simple guardrail enforcement and introduces ongoing monitoring/change-management behavior that can alter developer workflow and normalize semi-automatic propagation of changes into skills.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Installing a post-commit hook creates a persistent mechanism that runs after every commit, effectively surveilling repository activity for selected patterns and feeding a downstream update workflow. In a security tool, this is especially sensitive because hooks execute automatically and can be abused or surprise users if not narrowly justified and explicitly consented to.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The generated script claims auto-commit occurs with confirmation, but setting AUTO_COMMIT_NO_CONFIRM=true bypasses the prompt and commits skill changes automatically. This mismatch can mislead users and CI operators, increasing the chance of unintended commits or unauthorized workflow automation in environments where variables are inherited.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The thread directly instructs users to clone a third-party repository and execute an install script (`bash agent-guardrails/scripts/install.sh .`) without any safety warning, review guidance, or explanation of what files/hooks will be modified. In a skill aimed at agent enforcement and repo integration, readers are especially likely to copy-paste these commands, creating a realistic risk of unintended project modification or execution of unreviewed code from an external source.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that installation will automatically install a git pre-commit hook, create files, copy scripts, and modify AGENTS.md, but it does not clearly foreground that these are automatic writes into the user's project. In an agent skill context, users may execute install commands with high trust, so insufficient disclosure can lead to unexpected repository changes, policy injection, or workflow disruption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The one-line installation commands encourage direct execution of an external script against a target project without prominently warning that it performs automatic configuration and file writes. Even if the tool's purpose is protective, this pattern increases the risk of users running code they have not reviewed, which is especially sensitive in developer tooling that alters repository behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document proposes a post-commit hook that automatically scans changed files on every commit, but it does not clearly warn users that repository contents and filenames will be inspected and that results will be logged into local task/archive files. In a security-focused skill, silent continuous inspection is risky because repositories may contain sensitive code, secrets, or regulated data, and users may not realize the extent of collection and retention.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The future 'fully automatic' workflow envisions an AI agent that reads project changes, modifies skill files, runs tests, and auto-commits, but it does not include explicit user approval, scope limits, or warnings about autonomous modification. That creates a meaningful risk of unauthorized code changes, propagation of unsafe patterns, or accidental inclusion of sensitive project-derived content into shared skill assets and git history.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script performs broad writes into an arbitrary user-supplied project directory, creating executable files, a checklist, hook templates, and setup instructions without any interactive confirmation, dry-run mode, or guardrails against accidental targeting. In an agent context, that is risky because a mistaken or manipulated path can silently modify repository contents and developer workflow, including introducing a pre-commit hook that influences future commits.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer writes multiple executable scripts, a workflow document, and a git hook directly into the target repository without any confirmation step or dry-run preview. Silent modification of project automation is risky because it changes repository behavior immediately and may persist unnoticed, especially when writing into .git/hooks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/check-secrets.sh:90