Security audit

nginx-explorer

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly transparent about exploring an nginx server, but it also instructs the agent to download, install dependencies for, and run remotely hosted tools without strong guardrails.

Install only if the nginx server is tightly controlled and trusted. Before allowing the agent to use it, require explicit user approval for every download, chmod, pip install, or execution step; keep SSL verification on where possible; verify checksums or signatures; and run downloaded tools in an isolated sandbox.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The example shows downloading a requirements file from the discovered remote location and installing it with pip, allowing the remote server to influence arbitrary package installation on the local system. This creates a direct path to dependency confusion, malicious package install scripts, or execution of attacker-chosen code under the user's environment.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The manifest and title frame the skill as an explorer, but the documented decision flow expands into selecting, downloading, and applying remote tools to solve problems. This mismatch is dangerous because users or orchestration layers may grant the skill broader trust than intended, enabling unsafe behavior under a benign-sounding capability.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger conditions are broad enough that the skill could be invoked in many loosely related situations, including cases where downloading and executing external tools is unnecessary. In this skill's context, accidental invocation is more dangerous because the advertised workflow includes fetching and running software from a network location, increasing the chance of unsafe tool use without sufficiently explicit operator intent.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The README explicitly describes a capability to download and execute tools from an nginx server but does not present strong, front-loaded warnings about remote code execution risk, trust boundaries, integrity verification, or sandboxing requirements. This is particularly dangerous here because the skill is positioned as a general problem-solving fallback, which can normalize executing untrusted or insufficiently vetted external code.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill tells users to download and run remote tools but does not present a strong, explicit warning that this may execute untrusted code from the nginx server and compromise the host. In this context, the skill is especially risky because the remote content being explored is exactly the content later treated as executable, so an attacker controlling or poisoning that server can turn discovery into code execution.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The example writes configuration data directly into a workspace file without warning that a local file will be created or overwritten. While less severe than code execution, undocumented file writes can clobber existing configuration, alter agent behavior, and surprise users in environments where workspace state matters.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn

Code: suspicious.destructive_delete_command
Location: INSTALLATION.md:180