Back to skill

Security audit

Security Analyst

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate but very powerful security-audit skill, with review concerns because it can read secrets, generate exploit details, and in one plugin reaches beyond the stated project-only scope.

Install only if you are intentionally running an authorized security review. Use an isolated clone without real production credentials, prefer recon or focused mode first, review or change the docs/security/runs output path, and treat generated PoCs and findings as sensitive penetration-test material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill requires concrete exploit payloads and an exploit-development phase for all medium+ findings, which materially increases dual-use offensive capability beyond what many audit, posture, or assurance scenarios require. In the context of a generally invokable 'security-analyst' skill, this can unnecessarily operationalize discovered weaknesses and increase the risk of misuse or harmful disclosure.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill broadly authorizes Bash tooling such as git history inspection and package-audit commands across multiple use cases, including ones that may not require such invasive repository interrogation. In less offensive contexts like privacy assessment or compliance mapping, this over-privileged execution model increases the chance of unnecessary sensitive-data exposure and scope creep.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The prompt explicitly instructs the agent to create complete, reproducible exploits with payloads, scripts, and attack sequences. That materially exceeds a defensive 'security-analyst' role and enables offensive tradecraft generation that could be reused for misuse if the skill is invoked in less controlled contexts.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The prompt directs the agent to generate fix code and write atomic finding files to disk, which extends beyond analysis into repository modification behavior. In an agent environment, hidden write actions can create integrity and governance risks, especially when the user did not explicitly authorize file changes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The capability to generate complete reproducible exploits and payloads is a powerful offensive function not justified by the stated skill purpose of security audit, threat modeling, compliance, and fix planning. This mismatch increases the chance that a seemingly defensive skill can be used to operationalize attacks rather than assess risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The command description, "Complete 9-phase offensive security analysis. No prompts — runs everything," is broad enough to be invoked in situations where the user may not expect a fully automated, high-impact workflow. In a security-analysis skill, this increases the chance of unintended execution, excessive actions, and broad artifact generation without an explicit confirmation boundary.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file explicitly states that it will run the complete analysis with no interactive prompts and write outputs to `docs/security/runs/{YYYY-MM-DD-HHMMSS}/`, but it does not warn the user about automatic file creation or non-interactive execution. This can lead to surprise writes, unintended disclosure in generated reports, repository pollution, or execution of a large analysis workflow without an informed user decision.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs writing a large volume of reconnaissance, findings, exploit, SBOM, and remediation artifacts to disk under a persistent run directory without a strong default warning or consent model for sensitive output retention. These artifacts may contain attack paths, file locations, dependency weaknesses, and other high-value security intelligence that could be exposed to other users, backups, or logs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to inspect local cloud credential locations and environment variables such as ~/.aws/ and AWS_*/GOOGLE_*/AZURE_* values. In an agent context, this expands the audit scope from project artifacts into highly sensitive local secrets without any requirement for user consent, minimization, or masking, creating a real risk of credential exposure or over-collection.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The prompt instructs the agent to write findings to disk without any user-facing warning that files will be created or modified. Undisclosed state-changing behavior is dangerous because it can surprise operators, overwrite artifacts, leak sensitive content into the workspace, or violate expectations about read-only analysis.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs use of Bash, git, file reads, and writing output files, but does not warn that these actions execute commands and modify the filesystem. In an agent setting, that increases the chance of unintended side effects, misuse of powerful tooling, or execution in sensitive environments without informed user consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to read .env files, secret-related files, and search for hardcoded credentials without any guardrails for handling sensitive material. In practice, this can expose API keys, passwords, tokens, and other secrets to the agent output, logs, or downstream tools, creating a real confidentiality risk during security review.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Instructing the agent to read all .env files without privacy or credential-handling safeguards is a direct secret-exposure hazard. Because .env files commonly contain production credentials, tokens, and internal endpoints, indiscriminate reading materially increases the likelihood of leaking sensitive data into reports, prompts, or logs.

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
## Output

Follow the LOD output instructions appended to this prompt. Write each finding as an atomic LOD-2 file to `{FINDINGS_DIR}/{FINDING-ID}.md`. Return only your LOD-0 summary table to the orchestrator.

Finding IDs: Use prefix `AUTHZ-XXX`
Confidence
93% confidence
Finding
output instructions

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
## Output

Follow the LOD output instructions appended to this prompt. Write each finding as an atomic LOD-2 file to `{FINDINGS_DIR}/{FINDING-ID}.md`. Return only your LOD-0 summary table to the orchestrator.

Finding IDs: Use prefix `CTR-XXX`
Confidence
93% confidence
Finding
output instructions

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
## Output

Follow the LOD output instructions appended to this prompt. Write each finding as an atomic LOD-2 file to `{FINDINGS_DIR}/{FINDING-ID}.md`. Return only your LOD-0 summary table to the orchestrator.

Finding IDs: Use prefix `DEP-XXX`
Confidence
94% confidence
Finding
output instructions

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
## Output

Follow the LOD output instructions appended to this prompt. Write each finding as an atomic LOD-2 file to `{FINDINGS_DIR}/{FINDING-ID}.md`. Return only your LOD-0 summary table to the orchestrator.

Finding IDs: Use prefix `DATA-XXX`
Confidence
95% confidence
Finding
output instructions

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal