Back to skill

Security audit

Construction Claim Strategy

Security checks across malware telemetry and agentic risk

Overview

This is a local construction-claim strategy aid with no evidence of hidden network, credential, purchase, or destructive behavior.

Reasonable to install if you want a local strategy-planning helper. Treat inputs and generated reports as confidential legal/commercial material, have qualified counsel review disclosure decisions and dispute submissions, and do not grant any payment, wallet, or account authority if the platform surfaces permissions from the unrelated metadata tags.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The finding is valid: the test/docstring claims to enforce a broad security property ('stdlib-only, no network, no subprocess'), but the implementation only checks a small hardcoded set of imports and calls in one script. This can create a false sense of security, allowing dangerous modules or execution paths to be introduced without the test failing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The passage advises users to be careful with full programme disclosure if it reveals contractor-caused delays and to seek legal advice on what must be disclosed, but it does so in a way that can encourage strategic withholding of adverse information. In a claims strategy skill, that framing may normalize selective disclosure without clearly warning about duties of candour, disclosure obligations, tribunal sanctions, or fraud/misrepresentation risk.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.