Back to skill

Security audit

Phy App Launcher

Security checks across malware telemetry and agentic risk

Overview

This skill mostly creates macOS app launchers as advertised, but it includes under-disclosed network icon generation, a hardcoded third-party API key, and unsafe launcher-writing behavior that users should review first.

Review or edit the script before installing. Avoid using --auto-icon unless you intentionally want to send the app name/prompt to FAL and download a generated icon; the embedded FAL key should be removed or rotated by the publisher. Before creating any launcher, verify the exact project path, app name, output directory, and command, and be aware that an existing .app with the same name may be deleted and replaced.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises and instructs execution of a local Python script that creates .app bundles, writes files to the Desktop, and launches shell commands, yet no permissions are declared. This mismatch reduces user awareness and weakens consent boundaries for file writes, shell execution, and possible network access, especially because the referenced behavior extends beyond passive documentation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is a local launcher creator, but the static findings indicate additional undisclosed behavior: contacting an external AI service, downloading generated images, and embedding a hardcoded API key. Hidden network activity and secret material are high-risk because users are not informed that project data or prompts may leave the machine, and a hardcoded key can be abused or leak service access.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill's primary purpose is local launcher creation, but it also contacts an external AI service and downloads a remote image to /tmp. This expands the trust boundary, sends app-related metadata off-device, and introduces supply-chain/privacy risk that is not essential to the core local functionality.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code silently integrates with a third-party AI service and manages credentials in code despite the skill being described as a local launcher utility. Embedding external-service access and secret handling without clear necessity or user awareness increases the attack surface and can expose credentials or project metadata.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation phrases are broad enough to match ordinary user requests such as making an app 'persistent' or 'clickable,' which can cause the skill to trigger in situations where the user did not specifically intend launcher creation. Because this skill writes executable app bundles and configures commands to run on double-click, overbroad activation increases the chance of unintended persistence-like behavior.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The workflow says to proceed when the user says generic phrases like 'create launcher for this project' or 'make desktop icon,' but it does not define boundaries, validation steps, or confirmation before executing the script. In context, that is risky because the resulting artifact is an executable launcher that can repeatedly run local commands from the Desktop.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hard-coded FAL API key is embedded in the script and automatically injected into the environment if none is present. This is secret exposure, enables unauthorized third-party usage, and normalizes covert outbound service access without the user's informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When auto-icon generation is used, the script sends an app-derived prompt to an external AI service and retrieves a remote file, but there is no clear just-in-time warning or consent flow. In a tool marketed for local development convenience, hidden data egress and remote content retrieval are more sensitive because users may reasonably assume offline behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script unconditionally deletes any existing .app bundle at the destination path before recreating it. This can destroy user data or overwrite an existing application without confirmation, which is risky in a desktop-oriented tool that defaults to a common location like ~/Desktop.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: app-launcher
description: Create macOS desktop app launchers for dev projects. Click an icon on Desktop → auto-runs local dev server in Terminal. Use when user wants to make an app "persistent", create a desktop shortcut, launch dev server with one click, or says "make this app clickable" / "create launcher" / "desktop icon for this project".
homepage: https://canlah.ai
---
Confidence
74% confidence
Finding
Create macOS desktop app launchers for dev projects. Click an icon on Desktop → auto-runs local dev server in Terminal. Use when user wants to make an app "persistent", create a desktop shortcut, laun

Session Persistence

Medium
Category
Rogue Agent
Content
## Workflow

1. User says "create launcher for this project" or "make desktop icon"
2. Identify project path and any custom requirements (name, icon, command)
3. Run the script with appropriate options
4. Confirm the .app was created on Desktop
Confidence
76% confidence
Finding
create launcher for this project" or "make desktop icon" 2. Identify project path and any custom requirements (name, icon, command) 3. Run the script with appropriate options 4. Confirm the .app was c

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.