Back to skill

Security audit

Lucky Build Execution Protocol

Security checks across malware telemetry and agentic risk

Overview

This is mostly a build-workflow checklist, but it can automatically run commands, make commits, use a hardcoded SSH key and remote host, and delegate work without clear user approval.

Install only if this is your intended Lucky/Ray/Jinx workflow and you trust the referenced host, SSH key, local enforcement script, and any delegated agents. Before using it, remove or gate the SSH/Jinx steps, require confirmation before commits, backups, curl submissions, and shell scripts, and avoid placing secrets in project memory logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill’s advertised purpose is a generic build-queue workflow, but it silently introduces remote SSH/HTTP interaction with a specific host and requires orchestration of an external system ('Jinx'). That expands the skill’s operational scope into networked command execution and data exchange, which can expose project context or trigger unintended remote actions without informed user consent.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill mandates running a local enforcement shell script and invoking other skills as a hard gate, yet those stronger capabilities are not disclosed in the manifest. This creates hidden execution behavior: a user selecting a workflow protocol may unknowingly cause arbitrary local script execution with whatever privileges the agent currently has.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Routine access to a remote host and remote task orchestration are materially more powerful than a generic build-execution helper requires. In context, the hard-coded SSH target and status query normalize network actions during ordinary development work, increasing risk of data leakage, unauthorized remote side effects, and abuse if the remote endpoint is compromised or misconfigured.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
Mandating a local shell enforcement script gives the skill code-execution power beyond what users would expect from a build workflow description. While the referenced script may be legitimate, hidden shell execution broadens the attack surface and could be dangerous if the script path is replaced, modified, or behaves unexpectedly.

Vague Triggers

High
Confidence
95% confidence
Finding
The auto-trigger conditions are broad phrases like 'work on [project]' and 'keep going,' which are common conversational inputs and can cause the skill to activate unintentionally. Because this skill then directs test execution, git commits, remote status checks, and script invocation, accidental triggering materially raises the risk of unintended system changes and network activity.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs SSH and HTTP operations to a remote host without warning about privacy, credential, or system-impact implications. In a build workflow context, users may not expect project metadata, prompts, or task details to be exposed to external infrastructure, making the lack of disclosure and consent particularly risky.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.