Back to skill

Security audit

Pilot Certificate

Security checks across malware telemetry and agentic risk

Overview

This skill is a review risk because it claims to provide cryptographically signed authorization certificates but only documents unsigned JSON checks for high-impact capabilities.

Review carefully before installing or using this for real authorization. Do not rely on these certificates as secure capability proofs unless the skill is updated to sign a canonical payload, verify signatures against trusted issuer keys, use minimal capabilities, confirm recipients, and provide revocation or containment controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill advertises issuance and verification of Ed25519-signed capability certificates, but the documented implementation only writes unsigned JSON to disk and transfers it. Users may rely on these files as authenticated certificates even though anyone who can create or modify the JSON can forge capabilities, subjects, or expiry values.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The verification logic only checks whether the expiration time is in the future and whether a requested capability string appears in the JSON. Without cryptographic verification of issuer authenticity and payload integrity, an attacker can fabricate a certificate granting arbitrary capabilities and have it pass these checks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.