portable-deployment-audit

Security checks across malware telemetry and agentic risk

Overview

This is a read-only local audit skill whose file scanning matches its stated purpose, with a minor privacy note because JSON output includes the machine hostname.

Install this only if you want a local read-only security audit tool. Run it only on directories you are authorized to inspect, keep generated reports private because they can reveal sensitive paths and findings, and be aware that JSON reports include the local hostname.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Low

Confidence: 95% confidence
Finding: The tool captures and later reports the local hostname as part of its audit summary, which exceeds the stated file-inspection purpose and can disclose host-identifying metadata into logs or CI artifacts. While not code execution or exfiltration by itself, this unnecessarily broadens the data exposed by a security audit tool.

Context-Inappropriate Capability

Low

Confidence: 98% confidence
Finding: Importing and using the OS module to collect host identity information is unnecessary for a read-only deployment audit that is supposed to inspect files only. In CI or shared environments, disclosing the hostname can leak internal infrastructure naming, environment identity, or tenancy details.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal