Back to skill

Security audit

Unihiker K10 Micropython

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real K10 MicroPython helper, but its setup script can silently install and change developer tools using unpinned network installers.

Review setup.sh before running it. Install only if you are comfortable with network-based tool installation, possible sudo use, global Python package changes, Arduino CLI configuration changes, and persistent developer-tool files on your machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup script performs installation and filesystem modification actions, including downloading and executing a remote installer, moving binaries into user or system paths, and deleting directories, without any default warning or interactive confirmation. In a developer tool bootstrap script this may be common, but it still creates a meaningful supply-chain and unintended-change risk because users may run it blindly.

Missing User Warnings

High
Confidence
99% confidence
Finding
The command fetches a remote shell script from GitHub and immediately executes it via a pipe to sh, with no integrity verification or default disclosure. If the remote source, transport, or upstream repository is compromised, arbitrary code will run on the user's machine during setup.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script installs Python packages with pip automatically and without a default notice or confirmation. This can alter the user's Python environment, pull unpinned packages from the network, and expose the user to dependency confusion or upstream package compromise.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.