Back to skill

Security audit

Curriculum Designer

Security checks across malware telemetry and agentic risk

Overview

The skill is broadly for curriculum creation, but it needs review because it directs public sharing of generated Google Sheets and includes persistent checkpoint cleanup instructions.

Review before installing. Use it only if public Google Sheet links are acceptable, or change the workflow to private-by-default sharing with explicit approval before any public link. Avoid enabling the cron cleanup unless you understand the exact path and deletion behavior. Use a restricted YouTube API key, and note that the included script currently creates a local CSV and placeholder Sheets URL rather than a real Google Sheet.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The instructions explicitly require sharing the generated Google Sheet with 'anyone', making it publicly accessible regardless of whether it contains user-provided operational details such as POD names, schedules, assessments, and teacher context. This is broader than necessary for curriculum delivery and creates an unnecessary data exposure risk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The cron-job creation and recursive deletion commands are unrelated to the core task of designing curricula and expand the skill into persistent system modification. This increases attack surface and can lead to unintended data loss or unauthorized persistence on the host environment.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill reads a local .env file to obtain a YouTube API key from a hard-coded path without any user disclosure or clear necessity in the manifest. Accessing local credentials expands the skill's privileges and creates risk of unauthorized secret use or later exfiltration if the code is modified or chained with other behaviors.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims to create a Google Sheet but actually writes a local CSV and returns a fake placeholder Sheets URL. This is a deceptive implementation that can mislead users or downstream agents into believing a cloud artifact exists, causing workflow corruption, data loss, or accidental sharing assumptions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The stage is documented and announced as creating a Google Sheet, but no such action occurs. Misleading operational messaging is dangerous because other automation may trust the log output and proceed under false assumptions about where data resides and who can access it.

Missing User Warnings

High
Confidence
99% confidence
Finding
Requiring a publicly accessible sheet without any warning about privacy, data classification, or consent encourages broad disclosure by default. In context, the sheet may include user-derived educational planning and operational metadata, so the lack of safeguards materially raises exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script accesses a sensitive API key from a local .env file without any user-facing disclosure. Silent secret usage undermines transparency and can violate least-privilege expectations, especially in an agent skill where users may not expect filesystem credential access.

Ssd 3

Medium
Confidence
98% confidence
Finding
Making the sheet accessible to anyone can disclose generated curriculum data and user-supplied operational context to unintended parties. Even if the content is not highly sensitive, universal access violates least-privilege principles and can expose internal planning information.

Ssd 3

Medium
Confidence
98% confidence
Finding
The global instruction to always return an unrestricted public sheet link normalizes over-disclosure throughout the workflow. Because this applies regardless of content sensitivity or user intent, the context makes it more dangerous than an isolated example.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.