S2-SP-OS Universal Spatial Sensor Sniffer

Security checks across malware telemetry and agentic risk

Overview

This looks more like a mock scanner than a trustworthy discovery tool, and it could mislead users or agents into acting on fake device inventory.

Install only if you treat it as a demo or mock scanner. Do not rely on its reported sensors as real inventory, do not provide broad network or gateway credentials unless you understand the exposure, and do not allow agents to use its examples to change home, building, or automation behavior without separate explicit approval and validation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares only `exec` as an allowed tool while its metadata and described behavior rely on environment variables and network access. This mismatch obscures the true capability surface from users and reviewers, making it easier for a skill to access sensitive credentials or perform network operations without clear consent boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The skill description promises LAN scanning, heartbeat sniffing, and gateway verification, but the analysis indicates it fabricates discovery results and does not perform the claimed actions. Security tools that invent results are dangerous because they can mislead operators into trusting false inventory, missing real devices, or making bad security decisions based on fabricated output.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The example guidance expands a scanner/discovery skill into device onboarding and room-grid assignment, which are materially different, higher-risk actions. Even though the text says to ask for permission before permanent assignment, it normalizes post-scan enrollment behavior that can lead downstream agents to modify network or inventory state beyond the skill’s stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: This example tells the agent to automatically integrate discovered sensor feeds into broader automation logic and states that home systems will now auto-adjust based on the scan result. For a scanner/sniffer skill, that is dangerous scope creep: passive reconnaissance output is being used to trigger operational control changes without clear authorization, validation, or safety boundaries.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The function claims gateway API cross-verification but only checks whether an environment token exists and then fabricates a sleeping-node result. This is dangerous because downstream users may rely on false inventory data and believe real gateway verification occurred, which can mislead security decisions and asset tracking.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The code asserts native heartbeat capture and TLS-based 6D-VTM extraction but only returns a hardcoded device record. In a network-scanning skill, this can create false confidence that sensor discovery and protocol verification occurred, causing operators to act on invented data.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The docstring promises legacy active sniffing for Modbus and MQTT, but the implementation simply returns a fixed Modbus device without any network activity. This deception can misrepresent network coverage and lead users to miss actual devices or trust inaccurate environmental inventories.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The final output claims that heartbeats were captured, verified, and 6D-VTM extracted even though the program only emits simulated results. Such false attestation is risky because it can be consumed by automation or operators as evidence of successful discovery, producing bad operational or security decisions.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The invocation guidance is broad and encourages running a whole-subnet scan without defining when such scanning is appropriate or authorized. In an agent context, vague trigger conditions increase the chance of unauthorized reconnaissance, unnecessary network noise, or accidental use in environments where the user did not intend active discovery.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The skill describes active LAN scanning and secret gateway-registry pulls without a prominent warning about privacy, authorization, or operational impact. Those actions can expose device inventories, touch privileged APIs, and resemble recon behavior; in a home or enterprise network context, silent scanning or registry access is especially sensitive.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents use of `S2_HA_TOKEN` and other environment variables without clearly warning that they may grant privileged access to gateway or home-automation data. Referencing sensitive credentials casually encourages insecure handling, oversharing, or execution in contexts where the agent has more privilege than the user realizes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The markdown presents system-impacting behavior as if it is routine and safe, without warning that integration could alter environmental controls or other automation outcomes. This can mislead agent developers or downstream orchestrators into treating scan results as sufficient basis for control-plane changes, increasing the chance of unsafe or unauthorized actions.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code accesses a potentially sensitive Home Assistant token from the environment without clear user-facing disclosure or consent specific to credential use. In an agent-skill context, silent credential consumption is dangerous because users may not realize the skill inspects secrets present in its runtime environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal