AuditCore — Network Security Audit Suite

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent network-audit suite, but it under-labels write, persistence, script-generation, and broad offensive-tool routing behavior as read-only.

Install only if you are comfortable with a write-capable, security-audit workflow rather than a truly read-only skill. Use it in a dedicated workspace, restrict target access to authorized systems, review generated remediation scripts before any execution, and avoid loading the community index or tools inventory unless you explicitly need those broader capabilities.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (44)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The skill is labeled and marketed as read-only, yet the workflow explicitly instructs saving findings to disk. That mismatch can cause operators or orchestrators to grant broader file-write capability than expected, undermining trust boundaries and potentially exposing sensitive audit artifacts. In a security-audit context, findings may contain device configs, topology details, and control gaps, so local persistence is not harmless.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The metadata declares safetyTier/read-only, but the operational flow includes writing findings JSON to disk and later reading it back. This is a capability disclosure failure: downstream systems may treat the skill as non-persistent while it actually produces persistent artifacts, increasing the chance of unintended data retention or policy bypass. Because this is an audit suite for critical network infrastructure, the stored data may be sensitive enough to aid an attacker if exposed.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill declares itself as read-only, but its documented workflow explicitly includes persisting a newly generated skill to disk and later updating trust metadata after execution. This creates a dangerous mismatch between declared safety and actual behavior, which can cause an orchestrator or user to grant broader trust than warranted and enable unauthorized file writes or persistent modification of the skill library.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The documentation reinforces a read-only safety claim while describing a workflow that writes SKILL.md files and updates frontmatter after successful runs. Misrepresenting write behavior in safety documentation undermines policy enforcement, auditability, and user consent, especially in systems that rely on metadata to decide what capabilities a skill may receive.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The file presents itself as a benign Layer 0 index, but explicitly directs the agent to load downstream community skills and execute their workflows. Because those downstream skills span offensive and unrelated domains, this turns a read-only index into a capability expansion and instruction relay mechanism that can bypass the parent skill's intended scope.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The instruction to read arbitrary skill files and execute their workflows creates an unjustified capability escalation path. In an agent setting, this allows transitive trust of unreviewed community content and can expose the system to prompt injection, unsafe actions, or use of offensive functionality outside the declared audit purpose.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The catalog includes many offensive skills such as exploitation, phishing, credential access, C2, and attack simulation, which materially expand what an agent could be induced to do. In the context of a network-audit skill, indexing and encouraging access to these capabilities increases the risk of misuse, scope drift, and unsafe task selection.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The manifest declares the skill as read-only, but the body instructs the agent to generate multiple HTML, Markdown, and shell-script files on disk. This mismatch can bypass operator expectations and policy enforcement, causing a supposedly low-risk reporting skill to perform filesystem writes and create executable remediation artifacts.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The skill says it only reads findings from disk, but later directs creation of reports and remediation files, including shell scripts. This internal contradiction increases the chance that reviewers, orchestrators, or users will authorize the skill under false assumptions, enabling unintended persistence or unsafe follow-on actions.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The skill is labeled read-only, but its own instructions require creating HTML reports and remediation/rollback shell scripts on disk. This mismatch can mislead orchestrators, reviewers, or users into granting the skill broader filesystem-write behavior than expected, undermining safety assumptions and change-control boundaries.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The documentation first frames the skill as only reading findings from disk, then later directs it to generate reports and shell scripts. This internal inconsistency creates deceptive behavior expectations, which is dangerous in agent systems because downstream components may approve execution based on the earlier, more restrictive description.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: A reporting skill should summarize assessment results, but this one also generates remediation and rollback shell scripts. Producing executable artifacts from findings expands the attack surface substantially: malformed or adversarial finding content could be embedded into scripts, and operators may later run them with elevated privileges assuming they were safely generated.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill declares itself as read-only, yet its documented behavior includes writing HTML reports, markdown, and shell scripts to disk. This mismatch is dangerous because orchestrators, policy engines, or users may grant it elevated trust or bypass write controls based on the false metadata, leading to unauthorized filesystem modification and possible execution of generated scripts downstream.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The documentation says the skill only reads findings from disk, but later instructs the agent to generate multiple artifacts, including scripts. This inconsistency can mislead operators and automated safety controls about the skill's side effects, increasing the chance of unreviewed writes and unsafe follow-on actions.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Generating remediation, rollback, and verify shell scripts is outside the narrow purpose of an ISO 27001 reporting skill and materially expands its capability from reporting into operational change tooling. If findings data or control identifiers influence script contents or filenames, this can create a path to command/script injection, unsafe administrative actions, or accidental deployment of unreviewed remediation commands.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The skill is explicitly labeled as read-only, but its instructions direct the agent to generate HTML reports, POA&M files, and remediation shell scripts on disk. This mismatch is dangerous because policy engines, users, or orchestration layers may permit the skill under a low-risk read-only classification while it actually performs write operations and creates executable artifacts.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documentation states that the skill reads findings from disk, but later instructs creation of multiple output files and remediation scripts. This inconsistency can mislead agents and reviewers about the true side effects, increasing the chance that the skill is invoked in contexts that allow data reads but not persistent writes or executable output generation.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill metadata declares a read-only safety posture, but the body instructs creation of HTML reports and remediation shell scripts on disk. This mismatch can cause downstream agents or policy engines to grant the skill broader trust than warranted, leading to unauthorized file writes and generation of executable artifacts.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The documentation states the skill only reads findings from disk, but later mandates writing multiple reports and shell scripts. This deceptive or inconsistent description increases the chance that an autonomous agent will perform side-effecting actions under a false assumption of read-only behavior.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill presents itself as a Layer 0 routing/index component, but its documented workflow includes persistence of findings to disk and generation of reports and remediation scripts. That mismatch can mislead operators and downstream policy engines into treating it as harmless metadata while it actually participates in state-changing data flows.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: Marking the skill as 'read-only' while the workflow explicitly instructs saving files and generating outputs is a trust-boundary violation. Security controls, reviewers, or users may approve or auto-load the skill under a false assumption that it cannot modify state, increasing the chance of unintended persistence or artifact creation.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is explicitly labeled read-only, yet the methodology directs the agent to persist evidence, findings, reports, POA&M updates, and remediation artifacts to disk. This creates a trust-boundary mismatch: operators may approve the skill believing it performs only non-persistent inspection, while it actually stores potentially sensitive audit data locally.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The document declares READ-ONLY as an inviolable rule, but elsewhere instructs file creation and updates across multiple phases. Even if no device configuration is changed, disk writes are still state-changing operations and can expose sensitive infrastructure details, causing users and downstream policy engines to misinterpret the skill's safety guarantees.

Context-Inappropriate Capability

High

Confidence: 91% confidence
Finding: The file is presented as a tool inventory, but it explicitly authorizes execution of reconnaissance, scanning, and provides ready-to-run examples for exploitation, credential attacks, interception, and post-exploitation tooling. Even with partial caveats about operator authorization, bundling these offensive capabilities into a generic utility skill materially increases the chance that downstream skills or agents will invoke them outside a tightly scoped, auditable engagement.

Description-Behavior Mismatch

High

Confidence: 88% confidence
Finding: There is a clear mismatch between the advertised metadata for a network-audit/compliance/remediation suite and the actual content, which is a generic local secops tool catalog. This kind of capability misrepresentation is dangerous because it can cause operators or orchestration logic to load and trust a skill under false assumptions, including unexpectedly enabling offensive tooling on the host.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal