Security audit

Phy Concurrency Audit

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but its embedded scanner appears broken and may give users a false sense that concurrency checks are running.

Review this carefully before relying on it. The skill appears intended to run only a local static scan, but the provided script needs to be fixed before it can work; do not treat it as providing concurrency or TOCTOU coverage until the startup failure is corrected and tested.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The documented implementation is nonfunctional because PATTERNS references _build_js_concurrency_patterns() before that helper is defined. In Python, top-level code executes sequentially during import, so this raises a NameError and prevents the scanner from running at all, creating a denial-of-service against the security control and causing users to miss real race-condition findings.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.