Back to skill

Security audit

Ostrom Energy

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Ostrom price and smart-home automation helper, but its control mode can run user-provided shell commands and should be used carefully.

Install only if you trust the publisher and are comfortable providing Ostrom API credentials. Keep control mode in dry-run until reviewed, use fixed trusted commands only, do not let untrusted text populate command arguments or .env, and protect any config file containing secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(label: str, cmd: str, execute: bool):
    print(f"{label}: {cmd}")
    if execute:
        subprocess.run(cmd, shell=True, check=True)


def command_control(args, token, api_base_url, zip_code):
Confidence
99% confidence
Finding
subprocess.run(cmd, shell=True, check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities that access environment variables, read/write local files, make network requests, and execute shell commands, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users or hosting platforms may approve the skill without understanding that it can access secrets and invoke arbitrary commands, which is especially sensitive here because OAuth credentials and smart-home control actions are involved.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This skill's advertised purpose is energy-price retrieval and optimization, but it also provides arbitrary command execution when thresholds match. That expands its capability far beyond the declared domain and creates a powerful abuse path for unauthorized system actions, especially in automated smart-home or agent-driven workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The launcher automatically sources a local .env file into the shell environment before executing Python, with no validation or disclosure. In shell, source executes file contents as code, so a modified .env is not just configuration input but an execution vector that can alter behavior, exfiltrate secrets, or run arbitrary commands when the skill starts.

Credential Access

High
Category
Privilege Escalation
Content
if [[ -f "${ROOT}/.env" ]]; then
  set -a
  # shellcheck disable=SC1091
  source "${ROOT}/.env"
  set +a
fi
Confidence
97% confidence
Finding
.env"

Session Persistence

Medium
Category
Rogue Agent
Content
`OSTROM_ZIP` is optional, but recommended to include local taxes/levies and grid/base fees.

For persistent configuration, create `~/.config/ostrom-energy/config.json`:

```bash
mkdir -p ~/.config/ostrom-energy
Confidence
78% confidence
Finding
create `~/.config/ostrom-energy/config.json`: ```bash mkdir -p ~/.config/ostrom-energy cp config.json.example ~/.config/ostrom-energy/config.json $EDITOR ~/.config/ostrom-energy/config.json ``` For

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.