Back to skill

Security audit

DeepTask

Security checks across malware telemetry and agentic risk

Overview

DeepTask is a disclosed coding automation tool, but it can run local code and automatically commit broad repository changes without strong scoping or confirmation.

Install only in a dedicated, disposable workspace or repository. Keep secrets out of the project tree, inspect database test_code and git status before running cycles, and be prepared for the tool to run local code, initialize Git, stage all changes, and create commits automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return True
            
            # 2. Add all changes
            subprocess.run(["git", "add", "-A"], cwd=project_dir, check=True, capture_output=True)
            
            # 3. Commit with standardized message
            commit_msg = f"SE_ID:{se_id}, ST_ID:{st_id}, MUF_ID:{muf_id}, UT_ID:{ut_id}"
Confidence
95% confidence
Finding
subprocess.run(["git", "add", "-A"], cwd=project_dir, check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 3. Commit with standardized message
            commit_msg = f"SE_ID:{se_id}, ST_ID:{st_id}, MUF_ID:{muf_id}, UT_ID:{ut_id}"
            result = subprocess.run(
                ["git", "commit", "-m", commit_msg],
                cwd=project_dir,
                capture_output=True,
Confidence
90% confidence
Finding
result = subprocess.run( ["git", "commit", "-m", commit_msg], cwd=project_dir, capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _run_python_test(self, test_code: str, project_dir: str) -> bool:
        """运行 Python 测试"""
        try:
            result = subprocess.run(
                ["python3", "-c", test_code],
                cwd=project_dir,
                capture_output=True,
Confidence
100% confidence
Finding
result = subprocess.run( ["python3", "-c", test_code], cwd=project_dir, capture_output=True, text=True, time

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _run_moon_test(self, project_dir: str) -> bool:
        """运行 MoonBit 测试"""
        try:
            result = subprocess.run(
                ["moon", "test"],
                cwd=project_dir,
                capture_output=True,
Confidence
84% confidence
Finding
result = subprocess.run( ["moon", "test"], cwd=project_dir, capture_output=True, text=True, timeout=60

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""初始化 git 仓库"""
        try:
            if not os.path.exists(os.path.join(project_dir, ".git")):
                subprocess.run(["git", "init"], cwd=project_dir, check=True, capture_output=True)
                print(f"✅ Git 仓库已初始化:{project_dir}")
            return True
        except Exception as e:
Confidence
90% confidence
Finding
subprocess.run(["git", "init"], cwd=project_dir, check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"✅ {tool} 已安装:{tool_path}")
    
    try:
        result = subprocess.run([tool, "--version"], 
                                capture_output=True, text=True, timeout=10)
        if result.returncode == 0:
            print(f"✅ 版本:{result.stdout.strip().split(chr(10))[0]}")
Confidence
94% confidence
Finding
result = subprocess.run([tool, "--version"], capture_output=True, text=True, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill advertises and documents shell execution, file writes, and repository operations, but the metadata shown does not declare permissions or present a permission model. That creates a real security gap because an agent or user may invoke functionality that modifies files, probes the environment, initializes git, and performs commits without an explicit capability boundary or consent step.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
This worker retrieves test code from the database and executes it as Python code, effectively turning stored task data into executable instructions. Given the skill's autonomous nature and AI-generated content, that creates a direct remote-code-execution primitive with access to the local workspace and whatever privileges the agent process has.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The code auto-initializes git repositories in provided directories, which broadens behavior from task tracking into repository mutation. In this skill, that matters because later logic stages and commits all changes automatically, so repository creation is part of a chain that can persist unintended or malicious content.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The environment-check feature executes local programs and even performs sample runtime/build actions, which expands the skill from task management into code execution on the host. In a security-sensitive agent context, that is dangerous because a user can trigger execution of untrusted or trojaned local binaries through PATH or by selecting tools outside the intended scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown repeatedly describes automatic code writing, git initialization, and git commits as part of the normal flow, but it does not include a strong warning or mandatory confirmation before repository modifications occur. In an agent setting, this is dangerous because it can persist unintended changes, alter repository history, and affect unrelated files or projects if workspace targeting is wrong.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The reset command performs bulk state-changing database writes across sessions, subtasks, and MUFs immediately after a single CLI invocation, with no confirmation prompt, dry-run, or safety interlock. This creates a realistic integrity risk: accidental or automated invocation can irreversibly disrupt workflow state and review history for an entire project.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.