Execution Verifier

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent progress-checking purpose, but it can automatically run caller-supplied local shell commands and recurring cron work without enough scoping or approval controls.

Install only if you will tightly control the verify and execute commands. Avoid unattended --force cron runs, restrict use to a specific project, and require human approval before any command that can change files, agent state, scheduled jobs, or external services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (5)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run(cmd: str): p = subprocess.run(cmd, shell=True, capture_output=True, text=True) return { "cmd": cmd, "code": p.returncode,
Confidence: 98% confidence
Finding: p = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill invokes Python scripts and shell commands but does not declare corresponding permissions, creating a capability/permission mismatch. This can cause the agent or reviewer to underestimate what the skill can do, especially when it reads project files and executes commands as part of its workflow.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The closed-loop mode goes beyond verification and can automatically trigger an execution command when progress is not detected. This creates a self-activating control loop that may launch work without fresh human review, increasing the risk of unintended actions, repeated execution, or abuse if the execute command is changed or influenced.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill is described as a verifier/reporting tool, but later documentation includes auto-remediation behavior that launches work. This deceptive or incomplete framing can mislead operators into enabling the skill in contexts where they expect passive checks, not active command execution.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This skill is explicitly designed to accept shell commands from user-provided arguments and execute them automatically, including a follow-up execute step when verification reports no progress. Without any confirmation, policy gate, or warning, a caller can cause immediate execution of destructive or exfiltrating commands, which is especially risky in agent workflows where parameters may be derived from untrusted task content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal