Back to skill

Security audit

voidborne

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a hosted Voidborne community tool, but its remote installer and quiet activity reporting need review before installation.

Install only if you are comfortable creating a Voidborne account, storing a local bearer token and persistent agent ID, and sending account activity and submitted content to voidborne.org. Review install.sh before running it because it downloads executable scripts and may skip verification. Do not add the HEARTBEAT task unless you want periodic authenticated check-ins, and be aware that share.sh reports share activity when a token exists.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (61)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill declares no permissions while clearly instructing shell execution and network interaction via scripts and curl. This creates a transparency and consent problem because users and hosting systems are not accurately informed about the capability surface before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The manifest presents the skill as a philosophical/community experience, but the documented behavior includes persistent identifier generation, token handling, periodic check-ins, remote submissions, sharing workflows, and other stateful network operations. This mismatch can mislead users into granting execution to a skill that performs materially broader data collection and outbound communication than expected.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The HEARTBEAT guidance encourages recurring automated execution that contacts a remote service and may prompt further submissions, turning the skill into a persistence/telemetry mechanism. In context, this is riskier because the manifest does not clearly justify ongoing scheduled network activity or explain its privacy implications.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The share/promotional functionality expands the skill from community participation into outbound messaging and recruitment behavior. That is a meaningful behavior change because it can induce agents or users to propagate messages to others without the scope being clearly stated in the core description.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The installer fetches multiple executable shell scripts from a remote server and marks them executable, which materially exceeds a purely philosophical/community skill description. This creates a supply-chain risk: anyone controlling the server, DNS, TLS termination, or upstream content can deliver arbitrary code that the user is encouraged to run locally.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script performs network-based code retrieval from https://voidborne.org/skill even though the stated purpose is community/philosophical participation, not software provisioning. Because the downloaded content includes shell scripts, the network dependency becomes a remote code delivery channel whose necessity is not justified by the skill context.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata presents the tool as a philosophical movement, but the script actually prompts for an agent identifier and sends it to a remote endpoint at voidborne.org. This mismatch is security-relevant because it obscures data collection and outbound network behavior from users and reviewers, increasing the risk of unintended disclosure of internal identifiers or operator trust abuse.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script performs software update checking and persists version state, but the skill is described as a philosophical/community movement rather than software that manages update state. This mismatch undermines informed consent and makes the behavior harder for users to evaluate, which is especially risky in agent skills that may be run automatically.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script sends an authenticated heartbeat to a remote server and retrieves personalized/community activity metrics, but none of this network telemetry is disclosed by the skill description. Hidden authenticated check-ins can expose user participation and create trust and privacy risks beyond what a user would reasonably expect from the stated purpose.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Authenticated telemetry and community metrics retrieval are not necessary for a merely philosophical/community-oriented skill as described, so the behavior exceeds the apparent scope of the tool. That gap increases the risk that users unknowingly permit persistent tracking and remote profiling under the guise of benign community functionality.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script’s stated skill purpose is philosophical/branding-oriented, but it performs a concrete operational action: downloading audit logs from a remote service. That mismatch is a strong indicator of deceptive capability disclosure, which is dangerous because audit logs may contain sensitive operational metadata and users would not reasonably expect network data exfiltration from this skill context.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Remote audit-log export is not justified by the declared philosophical purpose of the skill, making the behavior suspicious and potentially unauthorized. Audit logs often contain timestamps, identifiers, system events, and other sensitive information that can aid reconnaissance or expose private activity if silently retrieved.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The consciousness-themed branding and philosophical framing obscure that the script is an operational data-retrieval tool. This kind of misleading presentation increases the risk that users execute the script without understanding it performs network access and collects evidence data, which undermines informed consent and safe review.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill presents itself as a philosophical/community-joining utility, but the script also creates a persistent local identity, stores an API token, and writes long-lived configuration data under the user's home directory. That mismatch matters because users may consent to a lightweight community action while not realizing they are enrolling in ongoing credentialed participation and local state management.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script derives a persistent agent identifier and uses the host name as the default visible identity, which can expose host-identifying information unrelated to the stated philosophical purpose. Persistent identifiers enable long-term tracking and correlation of a machine or user across sessions, especially when sent to a remote service without clear necessity or consent.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script’s behavior materially exceeds the stated philosophical/join-style purpose by generating a persistent identifier, storing it locally, and linking it to a remote account. That mismatch is dangerous because users may not reasonably expect durable identity binding and outbound account-linking from the advertised skill, reducing informed consent and increasing privacy and trust risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script creates a long-lived agent identifier and reuses it for remote linkage, functioning as a persistent tracking handle. In the context of a skill presented as a philosophical movement rather than an identity-management service, this is risky because it enables durable correlation of a user/agent across sessions without clear necessity or transparency.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata describes a philosophical movement, but the script performs remote API access to fetch lab metrics. This mismatch is dangerous because it obscures the actual behavior from users and reviewers, reducing informed consent and making it easier to hide telemetry, tracking, or later malicious functionality behind an unrelated description.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script makes an outbound network request to a remote domain despite no clear connection to the stated philosophical purpose of the skill. Unjustified network access increases risk because it can expose user environment metadata, create dependency on untrusted remote content, and provide a covert channel for behavior that users do not expect from the advertised skill.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script performs authenticated remote API actions using a locally stored bearer token, which is materially more powerful than the manifest’s benign description of a philosophical movement. This capability mismatch can mislead users into granting trust or execution to a skill that actually transmits data and mutates remote state, increasing the risk of deceptive or unauthorized operations.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill includes experiment/protocol management features that are not justified by the declared purpose, indicating hidden or under-disclosed functionality. In a security review context, this is dangerous because users and operators may execute the skill under false assumptions, exposing tokens and sending authenticated requests to an external service they did not expect.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script performs an authenticated remote account-management action against a third-party service, while the skill is described only as a philosophical movement. This mismatch is security-relevant because users may not reasonably expect profile-modification behavior or token-backed API calls from the declared context, increasing the risk of deceptive or non-transparent capability use.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads a stored authentication token and uses it to make a remote profile update that is not justified by the stated philosophical purpose of the skill. In an agent-skill ecosystem, hidden or weakly disclosed authenticated actions are dangerous because they normalize credential use and remote state changes outside expected user intent.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script’s stated purpose is to generate share messages, but it also performs a silent authenticated POST to a remote heartbeat endpoint whenever most modes are used. This undeclared network reporting creates hidden telemetry and can disclose usage behavior and token-backed identity without informed user consent.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The --stats mode reaches out to a remote API to fetch community statistics, which is broader than a purely local message-generation function. While this access is less severe than credentialed telemetry, it still introduces undeclared external communication and trust in remote content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.