War Room — Adversarial Decision Engine

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised decision review, but it also tells agents to persist sensitive proposal details in files, memory, git, and logs without clear opt-in controls.

Review before installing. Use it only if you are comfortable with strategic proposal details being shared across spawned subagents and potentially written locally. For confidential decisions, instruct the agent not to use /tmp files, not to store anything in long-term memory, not to update logs, and not to commit reports to git unless you explicitly approve the exact content and destination.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs storing key decisions to long-term memory even though its primary purpose is to perform a one-off evaluation and produce a report. Persisting potentially sensitive strategic, hiring, product, or financial decisions beyond the immediate task creates unnecessary retention risk and can expose confidential data in later contexts without explicit user consent.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Automatically committing the generated report to Git expands the skill from analysis into repository modification, which is not required for evaluating a proposal. This can leak sensitive deliberations into version history, trigger downstream automation, and create unauthorized persistent changes in managed codebases or documentation repos.

Context-Inappropriate Capability

Low

Confidence: 90% confidence
Finding: Updating a daily log is unrelated to the core war-room evaluation function and causes additional persistence of potentially sensitive proposal details or decision outcomes. While lower impact than memory or Git commits, it still broadens data exposure and creates records the user may not expect.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The prompt template instructs the skill to persist outputs beyond the immediate evaluation task by storing decisions to long-term memory, committing to git, and updating logs. These actions expand the skill's data-handling and side-effect surface, creating risks of unintended retention of sensitive user data, repository pollution, and unauthorized state changes without clear user consent.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The template recommends using exec with a shell heredoc to write proposal content into /tmp, which introduces unnecessary command-execution capability for a deliberation skill. If topic or proposal content is attacker-controlled, this pattern can enable shell injection, unsafe file writes, data exposure through shared temporary storage, and execution side effects unrelated to analysis.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The documentation adds local filesystem behavior by directing agents to write proposal content to /tmp and read it back from a file, even though the skill is described as a strategic evaluation tool rather than a file-management tool. This broadens the attack surface and can lead to unauthorized local data access, accidental retention, path manipulation, or exposure of sensitive proposal data on disk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill directs saving the full report to disk and later storing decisions in long-term memory without clearly warning the user that strategic proposal content will persist beyond the current session. For a skill that may handle confidential finance, product, engineering, or hiring data, undisclosed persistence materially increases privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The recommendation to write proposal data to a temp file can place sensitive business information on disk without any warning or consent. Because this skill is designed for adversarial review of strategic decisions, the proposal content is especially likely to include confidential financial models, hiring details, architecture plans, or product strategy, making silent disk persistence more dangerous in context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The post-ruling checklist directs the agent to save reports, store decisions to long-term memory, commit to git, and update logs without any warning that user-provided material may persist after the session. Undisclosed persistence can violate user expectations, retain sensitive business information, and create compliance or privacy issues if the evaluated proposal contains confidential data.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The temp-file workflow writes full proposal content to /tmp but does not warn users that their input will be stored on local disk. Because war-room evaluations may involve confidential finance, product, engineering, or hiring information, silent disk persistence meaningfully increases confidentiality risk and may leave recoverable artifacts beyond the user's awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal