Back to skill

Security audit

Remote Skill Test

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent remote-testing purpose, but it gives a remote agent broad unattended authority and under-discloses the resulting host and data exposure risks.

Install only for isolated, non-production test hosts with a least-privilege SSH account and test-only API keys. Review the exact prompt, target skill, remote host, and repository source before running; treat retrieved reports and opencode-run.log as sensitive; avoid shared jump hosts or environments containing production credentials or unrelated private files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The README states the skill does not modify remote files, but the documented workflow clearly performs remote installation/update actions via `npx skills add`, which changes the remote filesystem. This is dangerous because operators may trust the safety claims and run the skill on sensitive hosts without realizing it performs writes and package installation, increasing the chance of unintended system changes or supply-chain exposure.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The security rules claim the skill does not modify remote files, yet the steps explicitly create directories and install skills remotely. This inconsistency undermines informed consent and can cause users to approve execution under false assumptions, especially on shared jump hosts where even test-directory writes and package installation may violate policy or alter system state.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The prompt suffix explicitly tells the remote run to perform cross-directory reads without confirmation and to auto-execute all actions. That removes a key containment boundary and can cause the tested skill to access unrelated remote files or perform broader actions than necessary for simple validation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Using `opencode run --dangerously-skip-permissions` disables interactive permission checks for the remote execution entirely. In the context of running an arbitrary skill prompt on a remote host, this can enable unrestricted reads, writes, and command execution beyond the orchestration purpose, especially if the tested skill is buggy or adversarial.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document claims the skill will not modify remote files beyond creating the test directory and running `opencode run`, yet it also instructs `npx skills add panlm/skills -y`, which writes files into the remote test directory and may fetch remote content. This mismatch is dangerous because it misrepresents the true behavior and can cause users to grant access under false assumptions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly describes sending user-provided prompts to a remote host over SSH, capturing full stdout/stderr to logs, and copying reports and logs back via SCP, but it does not warn users that prompts, outputs, and generated reports may contain secrets or sensitive operational data. In this skill’s context, that omission is meaningful because the workflow is specifically designed to move potentially sensitive test inputs and diagnostic artifacts across systems and persist them in local and remote directories, increasing the chance of unintended disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs use of `opencode run --dangerously-skip-permissions` for non-interactive execution without an explicit warning about the security implications. In this skill's context, that is more dangerous because it runs on a remote jump host and executes user-provided prompts after installing skills, so bypassing permission checks reduces an important safety barrier before potentially sensitive remote actions occur.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs automatic remote execution without confirmation for cross-directory reads and follow-on actions. This bypasses the user's opportunity to review sensitive accesses and broadens the effective authority of the remote run beyond what is justified by testing.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill describes SSH-based remote command execution, remote file writes, and report retrieval as routine workflow steps without a prominent up-front warning about the risks. In a remote-host context, lack of explicit safety notice increases the chance that users unknowingly authorize impactful operations on sensitive systems.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The natural-language suffix mandates fully automatic execution and explicitly instructs the agent not to wait for user confirmation. That removes an important safety checkpoint and can turn a bounded test into unsupervised remote activity if the prompt or underlying skill behaves unexpectedly.

Ssd 3

High
Confidence
98% confidence
Finding
By instructing cross-directory reads without confirmation, the skill enables the remote run to collect data from locations unrelated to the requested test. On a jump host, that may expose credentials, configuration, logs, or other tenant data and then incorporate it into generated outputs or retrieved artifacts.

Ssd 3

High
Confidence
94% confidence
Finding
The workflow captures all stdout/stderr to a log and then copies logs and markdown artifacts back locally. Because remote skills may echo prompts, file contents, secrets, stack traces, or other sensitive material, indiscriminate collection and exfiltration of all output materially increases data exposure risk.

Ssd 4

High
Confidence
97% confidence
Finding
Taken together, the workflow normalizes a chain of risky behaviors: broad remote execution, package installation, permission bypass, autonomous cross-directory access, and wholesale artifact retrieval. Even if each step is framed as operational convenience, the combined design materially increases the likelihood of unsafe access and data exfiltration on the remote host.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.