Security

Security checks across malware telemetry and agentic risk

Overview

This security skill mostly matches its stated purpose, but it includes an under-documented script that can rewrite many other skills' files, so it should be reviewed before installation.

Install only if you trust the publisher and need a LobsterAI security framework. Treat it as Review because running scripts/integrate_audit.py can permanently change other installed skills; use it only on backups or a test install, review diffs first, and set LOBSTERAI_AUDIT_SECRET plus restrictive permissions for audit logs. Do not enable remote log forwarding without privacy and security review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises broad operational capabilities including environment access, file read/write, network, and shell execution, yet declares no explicit permissions. This creates a transparency and governance gap: users or orchestrators may authorize the skill under false assumptions, while the skill can still access sensitive data, modify files, invoke external tools, and reach the network. In a security-themed skill, this is especially risky because users are more likely to trust and grant it broad usage.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior omits that the skill can rewrite other skill scripts, create backup copies, and bulk-modify files across the installation. Self-described security tooling that silently patches other code is highly sensitive behavior because it enables persistence, unauthorized code injection, and large-scale tampering under the guise of auditing. The context makes this more dangerous, not less, because scanning all skills and modifying them centrally amplifies blast radius across the whole LobsterAI environment.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The code claims tamper resistance but falls back to a literal 'no-secret-configured' signature when LOBSTERAI_AUDIT_SECRET is unset, meaning logs can be modified or forged without detection. In a security/audit component, this undermines trust in forensic records and can let attackers erase or alter evidence after malicious activity.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script enumerates the installation's skills directory and rewrites source files in place across many skills, which is a powerful self-modifying capability. Even if intended for security hardening, this creates a high-risk supply-chain style primitive: a compromised or buggy run can silently alter trusted code broadly and persist changes via backups.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The generated Python code constructs an invalid try/except/finally order by appending finally before except, which will break instrumented scripts or leave them in an unusable state. Because the tool rewrites many files automatically, a single run can mass-corrupt entrypoints and cause denial of service across multiple skills.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The guide documents remote log forwarding to a SIEM endpoint without adequately warning that audit entries may contain sensitive operational or user data and will leave the local environment. In a security skill context, audit logs are especially likely to include identifiers, prompts, error details, and other sensitive metadata, so silent external transmission materially increases privacy and data-exfiltration risk.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The script writes modified source files and backup files without interactive confirmation, preview, or clear user-facing notice. Silent source modification increases the chance of unauthorized persistence, accidental breakage, and difficult-to-detect tampering in environments where users expect skills to be static.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The injected audit code captures user identifiers and execution/result data, potentially including sensitive inputs or outputs, without any visible consent, minimization, or redaction controls. In a security-context skill, broad logging is more dangerous because operators may trust it implicitly while it quietly increases data exposure and privacy risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal