Back to skill

Security audit

Segment

Security checks across malware telemetry and agentic risk

Overview

This Segment skill can write analytics and identity data but describes itself as for reading/searching, so it needs user review before installation.

Review carefully before installing. Use it only if you intend agents to send Segment events or update Segment identity/group associations, and require explicit confirmation of the exact payload before any action runs. Do not rely on it for read-only Segment lookup, search, or reporting tasks as written.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest and description claim this skill is for 'searching and reading data,' but every listed Segment action (`alias`, `batch`, `group`, `identify`, `page`, `screen`, `track`) sends events or mutates identity/state in Segment. This mismatch can mislead an agent into invoking the skill for ostensibly read-only tasks, causing unintended writes to production analytics pipelines and user profiles.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The safety section says untagged actions are reads and safe to run directly, but the untagged actions listed are actually write operations that send Segment events or modify identity/group associations. This creates a direct unsafe-automation path where an agent may execute state-changing calls without confirmation under the false assumption they are read-only.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrase 'Use this skill for ANY Segment request' is overly broad and encourages routing all Segment-related tasks through this skill, even though the skill only exposes write/event-ingestion behavior. In context, that increases the chance an agent will select this skill for benign lookup or analysis requests and accidentally emit events or alter identity/group data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.