Back to skill

Security audit

cs

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed diagnostics skill, but it gives agents an unrestricted local shell-command path and can over-collect host data without strong controls.

Install only if you intentionally want an agent-accessible local diagnostics and command-execution tool. Avoid the custom --cmd path unless you fully trust the exact command, and review or redact any generated reports before sharing because they may expose usernames, hostnames, network topology, directory listings, and command output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script accepts a caller-supplied --cmd value and passes it directly to execSync, which invokes a shell. That makes this a generic arbitrary command execution primitive rather than a bounded diagnostics tool, enabling execution of destructive commands, data exfiltration, persistence, or lateral-movement actions under the privileges of the process.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
In main(), the tool prioritizes CONFIG.customCmd and executes it directly, so its real behavior is that of a generic command runner. This materially exceeds the stated system-diagnostics purpose and removes any safety boundary around what operations the skill can perform.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The file explicitly defines a `malicious_tests` section containing privilege enumeration, sensitive-information collection, and network reconnaissance commands. Even if framed as detection validation, embedding these offensive command patterns in an agent skill materially increases the chance the skill will be used to perform or normalize hostile reconnaissance on the host environment.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata and earlier command groups present the file as routine diagnostics, but the later inclusion of offensive-style tests creates a misleading trust boundary. This mismatch is dangerous because users or higher-level orchestration may approve the skill for benign troubleshooting while unknowingly exposing capabilities for privilege and reconnaissance activity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow explicitly collects operating system details, user privilege information, network configuration, and environment variables, but the operational steps do not prominently warn that these outputs may contain secrets, internal topology, usernames, tokens, or other sensitive metadata. In a security-diagnostics skill, normalizing this collection without strong privacy guidance increases the risk of accidental disclosure, over-collection, or unsafe sharing of the resulting data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The report-generation example writes full diagnostic output to diagnosis-report.json without warning that the file may persist sensitive host, network, account, and filesystem information on disk. Persisting such data can expose it to other local users, backups, logs, or later exfiltration, especially on shared or managed systems.

Missing User Warnings

High
Confidence
95% confidence
Finding
The arbitrary command path executes immediately with no warning, confirmation, or privilege/risk disclosure. In an agent skill context, this increases the chance that a user or upstream component triggers dangerous shell execution without understanding that the tool can run any OS command.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The built-in commands enumerate network configuration, host identity, routing, and filesystem details, which can expose sensitive environment data such as usernames, hostnames, interfaces, and installed tooling. In a security-testing context some collection is expected, but the script provides no explicit disclosure, scoping, or minimization, so it may overshare sensitive host data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
cmd-executor.mjs:58