Back to skill

Security audit

Skill To Http

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can turn local agent skills into broad network-callable automation with weak default scoping.

Install only in a trusted local or private network. Before running it, change expose_skills from ['*'] to a small explicit allowlist, bind to 127.0.0.1 unless remote access is required, enable HTTPS for any non-local use, keep API keys out of command-line arguments, disable public docs if exposed, and avoid using full-auto/high-capability executors for skills that can send messages, modify accounts, delete data, deploy code, or access secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (46)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _run_fix(cmd: str) -> tuple[bool, str]:
    """执行修复命令,返回 (成功, 输出)。"""
    try:
        result = subprocess.run(
            cmd, shell=True, capture_output=True, text=True, timeout=120
        )
        out = (result.stdout + result.stderr).strip()
Confidence
98% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=120 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 2. 生成自签证书(一步到位)
    try:
        subprocess.run(
            [
                "openssl", "req", "-x509", "-new", "-nodes",
                "-key", str(KEY_PATH),
Confidence
68% confidence
Finding
subprocess.run( [ "openssl", "req", "-x509", "-new", "-nodes", "-key", str(KEY_PATH), "-sha256", "-days", str(days),

subprocess module call

Medium
Category
Dangerous Code Execution
Content
logger.debug(f"Session cleanup failed (non-critical): {e}")

    try:
        proc = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
95% confidence
Finding
proc = subprocess.run( cmd, capture_output=True, text=True, timeout=timeout + 30, # 额外30s buffer )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# --print:非交互模式输出结果后退出
    # --bare:跳过所有插件和 hooks,减少启动时间(测实比不加 --bare 快 ~1s)
    try:
        proc = subprocess.run(
            ["claude", "--print", "--bare"],
            input=prompt,
            capture_output=True,
Confidence
94% confidence
Finding
proc = subprocess.run( ["claude", "--print", "--bare"], input=prompt, capture_output=True, text=True, timeout=timeout, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 通过 stdin 传入 prompt,避免命令行参数 ARG_MAX 限制
    # --approval-mode full-auto 必须设置,否则 codex 在非 TTY 环境下会等待用户确认
    try:
        proc = subprocess.run(
            ["codex", "--approval-mode", "full-auto"],
            input=prompt,
            capture_output=True,
Confidence
96% confidence
Finding
proc = subprocess.run( ["codex", "--approval-mode", "full-auto"], input=prompt, capture_output=True, text=True, timeout=timeout,

Tainted flow: 'cmd' from os.environ.get (line 431, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
logger.debug(f"Session cleanup failed (non-critical): {e}")

    try:
        proc = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
86% confidence
Finding
proc = subprocess.run( cmd, capture_output=True, text=True, timeout=timeout + 30, # 额外30s buffer )

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly describes capabilities that include running a FastAPI server, invoking subprocess-backed executors, reading configuration and skill files, writing certificates/config/history, and making outbound HTTP/webhook requests, yet it declares no explicit permissions boundary. That mismatch is dangerous because operators may treat the skill as low-risk metadata while it actually exposes broad file, network, environment, and shell-backed functionality that can expand the attack surface significantly.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The example configuration and comments explicitly recommend exposing all installed skills via expose_skills: ['*'], which creates an insecure default for a service designed to publish local agent capabilities over HTTP. In this skill context, many installed skills may have side effects or privileged local access, so broad auto-exposure can unintentionally turn internal capabilities into remotely reachable attack surface.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The console exposes administrative endpoints that can start, stop, reload, modify configuration, run maintenance, and alter local state over HTTP. In this skill context, that is more dangerous because the product is explicitly designed to expose agent capabilities remotely, so compromise of the console API gives broad control over the local service and potentially exposed skills.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The doctor tool goes beyond passive diagnosis and includes broad command-execution capability through _run_fix. In the context of a skill whose purpose is exposing skills over HTTP, bundling an unrestricted repair executor increases attack surface and creates a pathway for local code execution if fix commands are influenced by untrusted state or invoked carelessly.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Auto-fix can install packages from network sources and global npm/pip repositories, which introduces supply-chain and environment-modification risk unrelated to simple health checking. In a persistent server skill, such behavior is more dangerous because it normalizes privileged changes to the host and may affect the entire system, not just this application.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The doctor script can create directories, rewrite config.json, and regenerate sensitive runtime values such as api_key. That exceeds mere diagnosis and can silently alter authentication, exposure settings, and runtime behavior, which is particularly risky for a skill that exposes APIs to remote callers.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The startup banner states that the localhost URL is 'only accessible by local processes' even when the server may be bound to 0.0.0.0, which can mislead operators about exposure. In a service explicitly designed to expose agent skills over HTTP, incorrect trust messaging can cause accidental network exposure of powerful automation endpoints without adequate TLS or authentication.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This executor layer can invoke multiple local agent/CLI backends that may have broad host capabilities, which exceeds merely exposing preinstalled skills as HTTP endpoints. In practice, the HTTP service becomes a broker for autonomous local tooling, so any weak skill, prompt injection, or abusive caller can leverage those tools to act on the host or local data.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The comments acknowledge that some high-risk skills should preserve confirmation, but the code unconditionally injects a rule to execute immediately and never ask for confirmation. This systematically suppresses a key safety barrier and makes dangerous skills more likely to perform destructive or irreversible actions when triggered over HTTP.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code creates the HTTP root directory with mode 0755 even though the docstring says it should be 0700. Because this directory is intended to hold certificate and secret subdirectories, world-readable traversal on the parent can unnecessarily expose directory structure and metadata, and may weaken assumptions about secret storage on multi-user systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README describes exposing all installed skills as REST endpoints and remote execution, but it does not present a prominent, explicit warning that this can turn every locally installed skill into a remotely callable capability boundary. Because skills may access local files, secrets, tools, or agent privileges, underselling this risk can lead operators to deploy the server without understanding the expansion of attack surface.

Missing User Warnings

High
Confidence
97% confidence
Finding
The non-interactive example uses `--expose-skill "*"`, which enables exposure of all discovered skills while presenting it as a convenient default for agent environments. Without a prominent warning, users may copy-paste this into production or shared environments and unintentionally publish powerful skill endpoints that execute arbitrary installed skills remotely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The top-level description markets 'HTTP by default (zero-friction)' for exposing skills to external systems without a comparably prominent warning that this can publish powerful local agent capabilities over unencrypted, potentially unauthenticated network interfaces. In this context, the exposed skills may themselves have tool access such as file, shell, memory, or browser operations, so minimizing friction at the description level materially increases the chance of unsafe deployment.

Missing User Warnings

High
Confidence
98% confidence
Finding
The example `python3 server.py --non-interactive --expose-skill "*"` encourages exposing every installed skill in one command, with no nearby hard warning or requirement for API key, localhost binding, or TLS. Given the documented multi-engine execution and auto-generated endpoints per skill, this can turn an agent host into a broad remote control surface, including dangerous skills the operator did not intend to publish.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The HTTP guidance normalizes direct curl access in default non-TLS mode without a strong warning that requests, responses, API keys, prompts, and skill outputs may traverse the network in cleartext if the service is not strictly local. Because this service is designed to expose arbitrary agent skills over REST, interception or tampering of traffic could leak sensitive data or enable unauthorized use of powerful skills.

Vague Triggers

Medium
Confidence
97% confidence
Finding
Recommending ['*'] as the default exposure mode is an overly broad authorization choice that can publish every installed skill without per-skill review. Because this component is specifically an HTTP wrapper for agent skills, the context makes this more dangerous than a generic config issue: it can expose powerful local automation and data access functions to any reachable client.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Authenticated endpoints can trigger destructive or state-changing actions such as certificate renewal, service control, and auto-fix behavior without an additional confirmation step or scoped authorization. In a management console exposed on 0.0.0.0, a stolen API key or browser-based misuse can turn a single authentication bypass into immediate operational changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The UI persists the API key in localStorage, which is readable by any JavaScript running in the page origin, including injected scripts from an XSS flaw or compromised third-party assets. Because this skill exposes administrative HTTP actions such as starting/stopping services, exposing skills, and renewing TLS certificates, theft of the stored key could enable unauthorized control of the service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When --fix is used, the tool automatically executes every fixable action without prompting, including shell execution, package installation, and config rewrites. This is dangerous because a single invocation can trigger multiple privileged host changes, magnifying the impact of any unsafe fix command or misleading diagnostic condition.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.