Back to skill

Security audit

Skill To Http Flash

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but its generated service can expose local skill execution over unauthenticated HTTP with broad network reach by default.

Install only if you intend to expose trusted Python skills as network services. Bind generated servers to localhost or a firewalled interface, require FLASH_API_KEY for any non-local use, use TLS or a secure reverse proxy, run as a low-privilege user or container, and review any configured LLM endpoint before create or recreate because SKILL.md content may be sent there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises substantial capabilities—filesystem access, environment access, shell execution, and network exposure—but does not declare permissions or trust boundaries. That omission makes it harder for operators and downstream systems to understand the risk of running a tool that can expose local scripts as remotely callable HTTP endpoints.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code sends SKILL.md content to a configurable external LLM endpoint and uses API credentials loaded from local config or environment. That behavior exceeds the advertised local/standalone microservice compilation purpose and can exfiltrate potentially sensitive skill contents or metadata to third parties, especially because the endpoint is fully configurable and not constrained to a trusted host.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes turning an arbitrary Python skill into a network-accessible HTTP service that executes the skill via subprocess, but it does not prominently warn that this exposes whatever the wrapped skill can do to remote callers. Even if the wrapper avoids shell injection, the resulting service can still expose dangerous file, network, or system actions implemented by the underlying skill, making accidental remote code execution-by-design or privilege abuse much more likely in real deployments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill promotes exposing a local skill over HTTP, while authentication is optional and CORS is permissive by default, but the opening description lacks a prominent warning about network exposure risks. This increases the chance users deploy an unauthenticated local-code execution surface beyond a trusted boundary.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The migration guide instructs users to run `flash.py remove --skill <name> --delete-files`, which is a destructive operation, but it does not explicitly warn that files and possibly project state will be permanently deleted. In an operational migration context, users often copy-paste commands, so omission of a prominent warning increases the risk of accidental data loss.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This code transmits up to 6000 characters of SKILL.md to a remote chat completions API without any user-facing notice in the implementation path shown. Skill files may contain internal prompts, secrets, operational details, or proprietary logic, so silent transmission creates a privacy and data-leakage risk that is amplified by the configurable base_url.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The code automatically loads API credentials from config or environment and uses them for outbound network access without a user-facing warning in this code path. While this does not directly expose the credentials, it can cause unexpected use of privileged tokens and hidden remote calls, reducing transparency and increasing the chance of unauthorized data transfer under the user's identity or billing account.

Unbounded Output

Medium
Category
Output Handling
Content
- **Subprocess direct execution** — no LLM drift, 100% reproducible, `<2s` cold start
- **JSON → CLI mapping** — request JSON auto-maps to long flags (`{"foo_bar": 10}` → `--foo-bar 10`), field-name allowlist `[a-z][a-z0-9_]*` + argv-as-list (no shell injection)
- **Unified envelope** — business failure (`exit_code != 0`) returns HTTP 200 + `success:false`; only framework errors use HTTP status codes
- **Sync + async** — `POST /run` (60s default, 512KB truncation) and `POST /run/async` (no truncation, in-memory + JSONL persistence, logrotate, SQLite export)
- **Multi-agent runtime** — auto-detects skill dirs for OpenClaw / Claude Code / Cursor / generic `./skills` out of the box, or override via `FLASH_SKILL_DIR` / `--skill-dir`
- **HTTP by default, HTTPS on demand** — self-signed SAN cert auto-generation, optional API-Key auth (`hmac.compare_digest` constant-time), configurable CORS
- **Self-contained output** — generated `server.py` has cert / job store / argv builder / envelope inlined; `scp` it to any machine and run
Confidence
93% confidence
Finding
no truncation

Unbounded Output

Medium
Category
Output Handling
Content
<tr><td><code>GET /health</code></td><td>Health check</td></tr>
<tr><td><code>GET /schema</code></td><td>Input parameter schema</td></tr>
<tr><td><code>POST /run</code></td><td>Execute skill (sync, 60s default)</td></tr>
<tr><td><code>POST /run/async</code></td><td>Execute skill (async, no truncation)</td></tr>
<tr><td><code>GET /jobs/&lcub;job_id&rcub;</code></td><td>Poll async job</td></tr>
</table></div>
<div class="card"><h3>Sync</h3>
Confidence
93% confidence
Finding
no truncation

Unbounded Output

Medium
Category
Output Handling
Content
| GET | `/health` | Probe entry file + interpreter |
| GET | `/schema` | Parameter schema |
| POST | `/run` | Sync execute (default {timeout}s timeout, 512KB truncation) |
| POST | `/run/async` | Async execute (no truncation) |
| GET | `/jobs/{{job_id}}` | Poll async job |

## Quick Start
Confidence
79% confidence
Finding
no truncation

Session Persistence

Medium
Category
Rogue Agent
Content
fi

echo "Starting {skill_name} API..."
nohup python3 server.py start > "$DATA_DIR/logs/{skill_name}.log" 2>&1 &

for i in $(seq 1 10); do
    sleep 1
Confidence
72% confidence
Finding
nohup

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.