Skill Validator

Security checks across malware telemetry and agentic risk

Overview

The included validator scripts are mostly local checks, but the skill documentation points users toward an unreviewed publishing adapter and release workflows that go beyond validation.

Review before installing. The local validator scripts do not show hidden exfiltration or destructive behavior, but use only the packaged validator unless you intentionally want publishing behavior. Do not run the curl-downloaded adapter or bulk publish commands until you inspect that external script and are comfortable with which files, accounts, and services will be used.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises and documents shell-based operations, including validation, fixing permissions, packaging, and publishing, but does not declare any permissions or capability boundaries. This makes the skill's execution scope opaque to users and reviewers, increasing the risk of unexpected command execution and file/system modification.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The manifest claims this is a validation tool, but the documented behavior extends to installation-side filesystem changes, local config/rule creation, optional sudo-linked installation, and broader environment modification. That mismatch prevents informed consent and can mislead users into granting trust to a tool that performs materially more invasive actions than advertised.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file presents itself as a skill-validation tool, but most of the body documents a different tool focused on publishing, packaging, retries, multi-channel release, and GitHub/ClawHub workflows. This identity mismatch is dangerous because users may invoke it expecting passive validation while it is designed to perform networked release and artifact-generation tasks.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: Publishing and multi-platform release capabilities materially exceed the expected scope of a validation tool and introduce outbound network actions, artifact creation, and potential data disclosure. In this context, the undocumented expansion of scope makes accidental publication or unintended transmission more plausible and therefore more dangerous.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: Branding the skill as a validator while repeatedly documenting 'skill-publish-adapter' behavior creates a confusing and misleading trust boundary. Even if not overtly malicious, this inconsistency can cause users and automated reviewers to underestimate the risk of modification and publication actions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The markdown describes automatic file creation and permission changes but does not clearly warn users that local files may be modified. For a tool framed as validation, silent repair actions can alter repositories, executable bits, or generated files in ways the user did not expect.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documented publish workflow sends content to ClawHub and GitHub but does not include a privacy, transmission, or destination warning. Users may unintentionally upload source, metadata, or packaged artifacts externally under the assumption that the skill only validates local format issues.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal