Back to skill

Security audit

Flagsmith

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for Flagsmith access, but it presents a state-changing identity action as an untagged read, which could let agents change Flagsmith traits without clear approval.

Review before installing. This skill should be treated as capable of changing Flagsmith identity traits, not just reading flags. Only use it where agents are expected to operate on that Flagsmith account, and require explicit confirmation before any `identify_identity` call that includes trait-setting data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata and description claim the skill is for 'searching and reading data', but the documented action set includes `identify_identity`, which can set traits and therefore change remote state. This mismatch can cause an agent or user to treat the skill as read-only and invoke it without the extra confirmation normally required for write operations, leading to unintended modifications in Flagsmith.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The safety section states that untagged actions are reads, yet `identify_identity` is listed untagged even though it can set traits and modify state. This creates a direct unsafe execution path where an agent following the documented safety rules may perform a write operation automatically, potentially altering identities or traits in production without explicit approval.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger text says to use this skill for 'ANY Flagsmith request' and 'Whenever a task involves Flagsmith, use this skill instead of calling the API directly,' which is overly broad. Because the skill is not actually read-only and includes a state-changing action, broad routing increases the chance the skill is invoked in contexts where a narrower or safer tool should be used, raising the risk of unintended writes or overreach.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.