Back to skill

Security audit

Drive Tools

Security checks across malware telemetry and agentic risk

Overview

This is a real drive-management skill, but it handles stored credentials and can delete or move remote files without enough safety warnings or guardrails.

Install only if you are comfortable giving the skill access to the configured remote drives. Use least-privilege accounts, keep config.json out of source control and shared workspaces, avoid FTP TLS mode until certificate verification is fixed, and manually verify paths before any rm or mv operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs the agent to read and modify a local config file and to execute network-capable scripts against SMB, FTP, and WebDAV targets, yet no explicit permissions are declared. This creates a trust and containment gap: users and the host platform may not realize the skill can write files and initiate remote connections, increasing the chance of unauthorized file changes, credential handling, or network access without informed consent.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
`_get_full_path` claims to enforce a scoped `base_path`, but it only concatenates strings and strips leading slashes. It does not normalize or reject `..` path segments, so a caller can supply paths like `../../sensitive` and potentially escape the intended remote directory subtree, enabling unauthorized read, write, rename, or deletion outside the configured scope.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The example trigger text is broad, natural language that overlaps with ordinary requests about checking cloud drive contents. That makes accidental or ambiguous invocation more likely, which is risky here because the skill can enumerate remote storage, test connections, and potentially perform file operations once engaged.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises remote file listing, upload, download, and management across SMB, FTP, and WebDAV, and it stores connection details in a config file, but it does not clearly warn about credential sensitivity, remote data exposure, or the risks of modifying/deleting files. In this context, missing privacy and safety warnings are material because the skill operates on potentially sensitive personal or enterprise storage and may handle secrets and downloaded content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly instructs users to place FTP usernames and passwords into `skills/drive-tools/config.json`, and it provides no warning that these credentials are stored in plaintext on disk. This creates a realistic risk of credential disclosure through local compromise, accidental commits, backups, logs, or shared environments, especially because FTP credentials may also grant access to broader remote storage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes remote delete commands for files and directories without any warning that the operation may be irreversible and may destroy remote data. In a storage-management skill, this increases the chance of accidental operator error, especially when users may copy-paste commands directly against production or shared FTP servers.

Missing User Warnings

High
Confidence
91% confidence
Finding
The rm operation performs destructive remote deletion with no confirmation, dry-run mode, or safeguards against dangerous targets. In an agent skill context, where parameters may be supplied indirectly or via prompt-driven workflows, this significantly increases the risk of accidental or over-broad data loss on remote storage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The delete operation can perform recursive remote deletion without any confirmation, dry-run, or prominent warning before destructive actions occur. In a CLI that manages cloud storage, a mistyped path, unsafe automation input, or agent/tool parameter misuse can irreversibly remove large amounts of remote data.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The code automatically creates or overwrites config.json content when configuration is missing or incomplete, without obtaining user consent first. This is a risky local side effect because it can unexpectedly modify local state, clobber existing configuration sections, and in agent-driven contexts may change files outside the user's immediate awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to place SMB usernames and passwords into a plaintext `skills/drive-tools/config.json` file and to have the agent record them there, but gives no warning about secret storage, file permissions, redaction, or safer alternatives. In an agent setting, this increases the chance of credential leakage through logs, workspace exposure, backups, or accidental sharing of the skill directory.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation includes remote deletion commands (`rm` and `rm -d`) without any cautionary text, confirmation guidance, or examples of safe scoping. In a storage-management skill, these commands can directly cause irreversible deletion of remote data if copied blindly or invoked on the wrong path/share.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly instructs users to place a WebDAV username and app-specific password into a local `skills/drive-tools/config.json` file, but provides no warning about secret handling, file permissions, encryption, or exclusion from version control. This increases the chance of credential exposure through local compromise, backups, logs, or accidental repository commits.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation includes remote deletion commands for files and folders without any caution that these operations may permanently remove user data on the connected WebDAV server. In a storage-management skill, this can lead to accidental destructive actions by users or downstream agents following the examples too literally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.