Back to skill

Security audit

Skill Auditor & Enhancer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed workspace audit tool, but it reads sensitive memory/configuration files and can send derived results to Telegram on a schedule without clear per-run consent.

Install only if you are comfortable with scheduled audits of private workspace memory and configuration being summarized through model providers and sent to Telegram. Prefer manual dry-run use first, restrict readable files, add redaction and exclusions, verify the Telegram destination, and avoid enabling the cron job until retention and disable controls are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares broad read/write behavior through its workflow and artifact generation, but it does not explicitly declare permissions. That mismatch weakens policy enforcement and user awareness, making it easier for the skill to access or write files without clear review boundaries.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The severity-to-label mapping is inverted: 'green' is labeled 'Safe refactors', while 'red' is labeled 'Informational', which contradicts common severity semantics and the emoji coloring. In this skill's context, the output is sent directly to Telegram and may drive user approvals, so misleading labels can cause risky recommendations to appear harmless and influence unsafe decisions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "review workflow" is broad enough to match normal user conversation and may invoke the audit unexpectedly. In this skill, unintended activation is more dangerous because the audit reads broad workspace context and is designed to deliver results externally.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill states it sends workspace-derived recommendations directly to Telegram without user prompting, but it does not present clear upfront consent or disclosure boundaries. That creates a real exfiltration risk because users may not understand that internal workspace content can be summarized and transmitted to an external service automatically.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill combines broad ingestion of skills, memory, and configuration with automatic Telegram delivery, creating a strong semantic path from internal sensitive data to external disclosure. Even if recommendations are high-level, summaries can still reveal secrets, personal data, operational details, or internal priorities.

Ssd 3

Medium
Confidence
94% confidence
Finding
Phase 1 directs ingestion of persona, memory, user, and configuration files in one pass, which exceeds data minimization for a recommendation engine. Aggregating these sources increases the chance that sensitive context is unnecessarily exposed to downstream models and later included in outputs.

Ssd 3

Medium
Confidence
95% confidence
Finding
The delivery step explicitly instructs the agent to send audit results as a Telegram message, turning internal analysis into external disclosure. In the context of broad workspace inspection, this materially increases the risk of leaking confidential or sensitive operational information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.